Headline
CVE-2023-42788: Fortiguard
An improper neutralization of special elements used in an os command (‘OS Command Injection’) vulnerability [CWE-78] in FortiManager & FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.8, version 6.4.0 through 6.4.12 and version 6.2.0 through 6.2.11 may allow a local attacker with low privileges to execute unauthorized code via specifically crafted arguments to a CLI command
** PSIRT Advisories**
FortiManager / FortiAnalyzer - OS command injection
Summary
An improper neutralization of special elements used in an os command (‘OS Command Injection’) vulnerability [CWE-78] in FortiManager & FortiAnalyzer may allow a local attacker with low privileges to execute unauthorized code via specifically crafted arguments to a CLI command
Major Version
Affected Products
Solutions
FortiAnalyzer 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiAnalyzer 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiAnalyzer 7.0
7.0.0 through 7.0.8
Upgrade to 7.0.9 or above
FortiAnalyzer 6.4
6.4.0 through 6.4.12
Upgrade to 6.4.13 or above
FortiAnalyzer 6.2
6.2.0 through 6.2.11
Upgrade to 6.2.12 or above
FortiManager 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiManager 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiManager 7.0
7.0.0 through 7.0.8
Upgrade to 7.0.9 or above
FortiManager 6.4
6.4.0 through 6.4.12
Upgrade to 6.4.13 or above
FortiManager 6.2
6.2.0 through 6.2.11
Upgrade to 6.2.12 or above
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Acknowledgement
Fortinet is pleased to thank security researchers Mickael Dorigny at Orange Cyberdéfense, Hélène Saliou, Férdéric Prevost, François-Xavier Picard and Orange CERT-CC at Orange group for discovering and reporting this vulnerability under responsible disclosure.
Timeline
2023-10-10: Initial publication