Headline
CVE-2021-43074: Fortiguard
An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8 and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10 and below, 6.2 all versions, 6.0 all versions; FortiProxy 7.0.1 and below, 2.0.7 and below, 1.2 all versions, 1.1 all versions, 1.0 all versions may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter.
** PSIRT Advisories**
FortiOS & FortiWeb - Padding oracle in cookie encryption
Summary
An improper verification of cryptographic signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy and FortiSwitch may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter.
Affected Products
FortiOS versions 7.0.3 and below.
FortiOS versions 6.4.8 and below,
FortiOS 6.2 all versions
FortiOS 6.0 all versions
FortiWeb 6.4 all versions
FortiWeb versions 6.3.16 and below,
FortiWeb 6.2 all versions
FortiWeb 6.1 all versions
FortiWeb 6.0 all versions
FortiProxy versions 7.0.1 and below,
FortiProxy versions 2.0.7 and below,
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions
FortiSwitch versions 7.0.3 and below,
FortiSwitch versions 6.4.10 and below,
FortiSwitch 6.2 all versions
FortiSwitch 6.0 all versions
Solutions
Upgrade to FortiOS version 7.0.7 or above.
Upgrade to FortiOS version 6.4.9 or above.
Upgrade to FortiWeb version 7.0.0 or above.
upgrade to FortiWeb version 6.3.17 or above.
Upgrade to FortiProxy version 7.0.7 or above.
Upgrade to FortiProxy version 2.0.8 or above.
Upgrade to FortiSwitch version 7.2.0 or above.
Upgrade to FortiSwitch version 7.0.4 or above.
Upgrade to FortiSwitch version 6.4.11 or above.