Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2380
FortiMail Increased Privileges - Remote With User Interaction
14 July 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FortiMail
Publisher: Fortinet
Operating System: Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-26099 CVE-2021-26095 CVE-2021-26091
CVE-2021-26090 CVE-2021-22129 CVE-2021-24015
CVE-2021-24007 CVE-2021-24020 CVE-2021-26100
Original Bulletin:
https://fortiguard.com/psirt/FG-IR-21-019
https://fortiguard.com/psirt/FG-IR-20-244
https://fortiguard.com/psirt/FG-IR-21-031
https://fortiguard.com/psirt/FG-IR-21-042
https://fortiguard.com/psirt/FG-IR-21-023
https://fortiguard.com/psirt/FG-IR-21-021
https://fortiguard.com/psirt/FG-IR-21-012
https://fortiguard.com/psirt/FG-IR-21-027
https://fortiguard.com/psirt/FG-IR-21-003
Comment: This bulletin contains nine (9) Fortinet security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
FortiMail - Unauthenticated encryption in IBE leads to email plaintext recovery
IR Number : FG-IR-21-003
Date : Jul 02, 2021
Risk : 3/5
CVSSv3 Score : 5.6
CVE ID : CVE-2021-26100
Affected Products: FortiMail: 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.11, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.13, 5.3.12, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.11, 5.0.10, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0
Summary
A missing cryptographic step in FortiMail IBE may allow an unauthenticated
attacker who intercepts the encrypted messages to manipulate them in such a way
that makes the tampering and the recovery of the plaintexts possible.
Affected Products
FortiMail version 6.4.4 and below.
FortiMail version 6.2.6 and below.
Solutions
Upgrade to FortiMail version 7.0.0.
Fix for version 6.4 to be confirmed.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.
- --------------------------------------------------------------------------------
FortiMail - Improper cryptographic operations in cookie encryption potentially prone to forgery
IR Number : FG-IR-21-019
Date : Jun 16, 2021
Risk : 3/5
CVSSv3 Score : 6.9
Impact : Elevation of privilege
CVE ID : CVE-2021-26095
Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
Summary
The combination of various cryptographic issues in the session management of
FortiMail, including the encryption construction of the session cookie, may
allow a remote attacker already in possession of a cookie to possibly reveal
and alter or forge its content, thereby escalating privileges.
Impact
Elevation of privilege
Affected Products
FortiMail 6.4.4 and below.
FortiMail 6.2.6 and below.
Solutions
Upgrade to FortiMail 7.0.0.
Upgrade to FortiMail 6.4.5.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT
Team.
- --------------------------------------------------------------------------------
FortiMail - Improper use of cryptographic primitives in IBE KeyStore
IR Number : FG-IR-20-244
Date : Jul 02, 2021
Risk : 3/5
CVSSv3 Score : 4.2
Impact : Information disclosure
CVE ID : CVE-2021-26099
Affected Products: FortiMail: 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.11, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.13, 5.3.12, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.11, 5.0.10, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0
Summary
Missing cryptographic steps in FortiMail IBE may allow an attacker who comes in
possession of the encrypted master keys to compromise their confidentiality by
observing a few invariant properties of the ciphertext.
Impact
Information disclosure
Affected Products
FortiMail version 6.4.4 and below.
FortiMail version 6.2.6 and below.
Solutions
Upgrade to FortiMail version 7.0.0.
Fix for version 6.4 to be confirmed.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.
- --------------------------------------------------------------------------------
FortiMail - Insecure PRNG in password and token generation scheme of IBE authentication
IR Number : FG-IR-21-031
Date : Jun 21, 2021
Risk : 3/5
CVSSv3 Score : 6.9
Impact : Information disclosure
CVE ID : CVE-2021-26091
Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
Summary
A use of a cryptographically weak pseudo-random number generator vulnerability
in the authenticator of FortiMail Identity Based Encryption service may allow
an unauthenticated attacker to infer parts of users authentication tokens and
reset their credentials.
Impact
Information disclosure
Affected Products
FortiMail 6.4.4 and below.
FortiMail 6.2.6 and below.
Solutions
Upgrade to FortiMail 7.0.0.
Upgrade to FortiMail 6.4.5.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT
Team.
- --------------------------------------------------------------------------------
FortiMail - Memory leak in Webmail
IR Number : FG-IR-21-042
Date : Jun 16, 2021
Risk : 3/5
CVSSv3 Score : 5.3
Impact : Denial of service
CVE ID : CVE-2021-26090
Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0
Summary
A missing release of memory after its effective lifetime vulnerability
(CWE-401) in FortiMail Webmail may allow an unauthenticated remote attacker to
exhaust available memory via specifically crafted login requests.
Impact
Denial of service
Affected Products
FortiMail 6.4.4 and below,
FortiMail 6.2.6 and below.
Solutions
Upgrade to FortiMail 7.0.0.
Upgrade to FortiMail 6.4.5.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT
Team.
- --------------------------------------------------------------------------------
FortiMail - Multiple buffer overflows
IR Number : FG-IR-21-023
Date : Jun 16, 2021
Risk : 4/5
CVSSv3 Score : 8.3
Impact : Remote code execution
CVE ID : CVE-2021-22129
Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.13, 5.3.12, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.11, 5.0.10, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0
Summary
Multiple instances of incorrect calculation of buffer size in FortiMail Webmail
and Administrative interface may allow an authenticated attacker with regular
webmail access to trigger a buffer overflow and to possibly execute
unauthorized code or commands via specifically crafted HTTP requests.
Impact
Remote code execution
Affected Products
FortiMail 6.4.4 and below.
FortiMail 6.2.6 and below.
FortiMail 6.0.10 and below.
FortiMail 5.4.12 and below.
Solutions
Upgrade to FortiMail 6.4.5 or above.
Upgrade to FortiMail 6.2.7 or above.
Upgrade to FortiMail 6.0.11 or above.
5.4 Fix to be confirmed.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT
Team.
- --------------------------------------------------------------------------------
FortiMail - OS Command injection
IR Number : FG-IR-21-021
Date : Jun 16, 2021
Risk : 4/5
CVSSv3 Score : 7
Impact : Execute unauthorized code or commands
CVE ID : CVE-2021-24015
Affected Products: FortiMail: 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.13, 5.3.12, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.11, 5.0.10, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0
Summary
An improper neutralization of special elementsused in an OS Command
vulnerability (CWE-78) in FortiMail's administrative interface may allow an
authenticated attacker to execute unauthorized commands via specifically
crafted HTTP requests.
Impact
Execute unauthorized code or commands
Affected Products
FortiMail 6.4.3
FortiMail 6.2.6
FortiMail 6.0.10
FortiMail 5.4.12
Solutions
Upgrade to FortiMail 7.0.0.
Upgrade to FortiMail 6.4.4.
Upgrade to FortiMail 6.2.7.
Upgrade to FortiMail 6.0.11.
5.4 Fix to be confirmed.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.
- --------------------------------------------------------------------------------
FortiMail - SQL Injection vulnerabilities
IR Number : FG-IR-21-012
Date : Jun 21, 2021
Risk : 5/5
CVSSv3 Score : 9.3
Impact : Execute unauthorized code or commands
CVE ID : CVE-2021-24007
Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.13, 5.3.12, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.11, 5.0.10, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0
Summary
Multiple improper neutralization of special elements of SQL commands
vulnerabilities in FortiMail may allow a non-authenticated attacker to execute
unauthorized code or commands via specifically crafted HTTP requests.
Impact
Execute unauthorized code or commands
Affected Products
FortiMail version 6.4.3 and below.
FortiMail version 6.2.6 and below.
FortiMail version 6.0.10 an below.
FortiMail version 5.4.12 and below.
Solutions
Upgrade to version 6.4.4 or higher.
Upgrade to version 6.2.7 or higher.
Upgrade to version 6.0.11 or higher.
5.4 Fix to be confirmed.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT
Team.
- --------------------------------------------------------------------------------
FortiMail - Salted Digest vulnerable to length extension attacks
IR Number : FG-IR-21-027
Date : Jun 21, 2021
Risk : 3/5
CVSSv3 Score : 6.9
Impact : Elevation of privileges
CVE ID : CVE-2021-24020
Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
Summary
A missing cryptographic step in the implementation of the hash digest algorithm
in FortiMail may allow an unauthenticated attacker to tamper with signed URLs
by appending further data which allows bypass of signature verification.
Impact
Elevation of privileges
Affected Products
FortiMail 6.4.4 and below,
FortiMail 6.2.6 and below.
Solutions
Upgrade to FortiMail version 7.0.0.
Upgrade to FortiMail version 6.4.5.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT
Team.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYO5vquNLKJtyKPYoAQj29RAAsE64/NVz5fyHOo6qi+ObxkdSKPYMP6O4
+p7bToNspT4kQYc+c0r+dRHgrlnhcWU6EOjMQlXx0xyAXxjrDPL3GUad1ylxjLgG
iBzot2NuuEadwZMr8yVfU8NlzxRJG3rbPnA7XzMDgn6fBfKdUhgevk7rI09qmr7v
ZhI8Os1hyFbNyU7EvGg2PjbokUcsCnoli5fED7G6+kDr/2PYHymrUjVbsqnWxW/H
osbE9cGRXOAqq2plfXwrUhu9Nlf8tqzTcct2ZAJXWkLOSHepBSOxCJ0XuL42ERS7
cls+wxtjBvtmNjMQevZ3BLadKsMuVYHaUzlQqMLxSsXKWcfZfu/lolO8iboKz4HF
Sq9N9WFNpM13dhhsdEl9k52t091fe0HJ0PSKPREqewn3kNNGXFx9asv/lK08DtyY
nOLjJyeE2WVY1Yy03idXDcXbEZ913xPV+e3osUZLhvhdwmswXmFV11gXqR4JCF6V
2hzxEIPmUpKbR3ljxrYeftvNTqnzlhQpLHNay+Hs8Uji/Apdev4vsLtKqZSYSgbN
RqqDid7/ja4y5Ej2oqpnyuBaUtOkedYOUY09pz5qou+tg2WxF3SIhHPCZraNnIU8
fYws2vnn7qkLZJ32tmrWWeKnj3OWE4eCAgisUzRAd2yLi4LunshINfyRoUtih7GG
47REIda0Be8=
=nTeS
-----END PGP SIGNATURE-----