Headline
CVE-2022-39948: Fortiguard
An improper certificate validation vulnerability [CWE-295] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.0.0 through 7.0.6, 2.0 all versions, 1.2 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy)
** PSIRT Advisories**
FortiOS & FortiProxy - Lack of certificate verification when establishing secure connections with threat feed fabric connectors
Summary
An improper certificate validation vulnerability [CWE-295] in FortiOS and FortiProxy may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy)
Affected Products
FortiProxy version 7.0.0 through 7.0.6
FortiProxy version 2.0 all versions
FortiProxy version 1.2 all versions
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.7
FortiOS version 6.4 all versions
FortiOS version 6.2 all versions
FortiOS version 6.0 all versions
Solutions
Please upgrade to FortiProxy version 7.2.0 or above
Please upgrade to FortiProxy version 7.0.7 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.8 or above