PSIRTSyslog not protected by an extra layer of authentication
Summary
A insufficient verification of data authenticity vulnerability [CWE-345] in FortiAnalyzer, FortiAnalyzer-BigData and FortiManager with FortiAnalyzer features may allow a remote unauthenticated attacker to send messages to the syslog server of FortiAnalyzer via the knoweldge of an authorized device serial number.
Affected Products
FortiManager version 7.4.0FortiManager version 7.2.0 through 7.2.3
FortiManager version 7.0.0 through 7.0.9
FortiManager 6.4 all versions
FortiManager 6.2 all versions
FortiAnalyzer-BigData 7.4 all versions are not affected
FortiAnalyzer-BigData version 7.2.0 through 7.2.5
FortiAnalyzer-BigData 7.0 all versions
FortiAnalyzer-BigData 6.4 all versions
FortiAnalyzer-BigData 6.2 all versions
FortiAnalyzer version 7.4.0
FortiAnalyzer version 7.2.0 through 7.2.3
FortiAnalyzer version 7.0.0 through 7.0.9
FortiAnalyzer 6.4 all versions
FortiAnalyzer 6.2 all versions
Solutions
Please upgrade to FortiAnalyzer-BigData version 7.4.0 or above
Please upgrade to FortiAnalyzer-BigData version 7.2.6 or above
Please upgrade to FortiManager version 7.4.1 or above
Please upgrade to FortiManager version 7.2.4 or above
Please upgrade to FortiManager version 7.0.10 or above
Please upgrade to FortiAnalyzer version 7.4.1 or above
Please upgrade to FortiAnalyzer version 7.2.4 or above
Please upgrade to FortiAnalyzer version 7.0.10 or above
AND
Configure the "un-encrypted-logging" option to disable receiving syslog without encryption through UDP(514) or TCP(514).
config system log setting
set un-encrypted-logging disable
Acknowledgement
Internally discovered and reported by Francesco Pesare from Fortinet's professional services team.Timeline
2023-10-10: Initial publication2023-10-30: Adding FortiManager with FortiAnalyzer features