Headline
CVE-2022-35843: Fortiguard
An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0.0 through 7.0.7, 6.4.0 through 6.4.9, 6.2 all versions, 6.0 all versions and FortiProxy SSH login component 7.0.0 through 7.0.5, 2.0.0 through 2.0.10, 1.2.0 all versions may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server.
** PSIRT Advisories**
FortiOS & FortiProxy - SSH authentication bypass when RADIUS authentication is used
Summary
An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server.
Affected Products
FortiOS version 7.2.0
FortiOS version 7.0.0 through 7.0.7
FortiOS version 6.4.0 through 6.4.9
FortiOS version 6.2 all versions
FortiOS version 6.0 all versions
FortiProxy version 7.0.0 through 7.0.5
FortiProxy version 2.0.0 through 2.0.10
FortiProxy version 1.2.0 all versions
Solutions
Please upgrade to FortiOS version 7.2.2 or above
Please upgrade to FortiOS version 7.0.8 or above
Please upgrade to FortiOS version 6.4.10 or above
Please upgrade to FortiProxy version 7.0.7 or above
Please upgrade to FortiProxy version 2.0.11 or above
Acknowledgement
Fortinet is pleased to thank Egbert Nijmeijer from ICT Teamwork for reporting this vulnerability under responsible disclosure.