Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0050 FortiDeceptor is impacted by an OS command injection vulnerability 6 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiDeceptor Publisher: fortiguard Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-29017 Original Bulletin: https://fortiguard.com/psirt/FG-IR-20-177 - --------------------------BEGIN INCLUDED TEXT-------------------- FortiDeceptor is impacted by an OS command injection vulnerability IR Number : FG-IR-20-177 Date : Jan 04, 2021 Risk : 4/5 CVSSv3 Score: 8.1 Impact : Execute unauthorized code or commands Summary An OS command injection vulnerability in FortiDeceptor may allow a remote authenticated attacker to execute arbitrary commands on the system by exploiting a command injection vulnerability on the Customization page. Impact Execute unauthorized code or commands Affected Products FortiDeceptor versions 3.1.0 and below. FortiDeceptor versions 3.0.1 and below. Solutions Please upgrade to FortiDeceptor versions 3.2.0 or above. Please upgrade to FortiDeceptor versions 3.1.1 or above. Please upgrade to FortiDeceptor versions 3.0.2 or above. Acknowledgement Fortinet is pleased to thank Chua Wei Kiat for finding and reporting this issue. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX/UcJONLKJtyKPYoAQiLRA//WXbrdVPntI7hgBGhZAkt2PQ6Csk2a9Gh Sn02Wwbu2PfphbWZYcjY//+kD61sKUYvqFK/DM/SJUnhmmO1PJZXAINfsFVrXkfK acVci0TkjUhZRLpffZvu3u2aTAqGmJbn0dN21OzR540Pc0gIkmkJMA5IrId1joof Z7bVwvulT58LNJ7AIKEMmGRf7JhX2NMiIWmGrO12Y6MROOaZfW5FEljvW99+VP8w QOMTIMRCLiWjw2FuL/bXvdAI8iBE9v1ECHOEQc08wJM181QTC7zfPUZkPhA2qCd6 ypFtZqGtOyuvOwTqgWnx5ES4mL4yqHLMYjpFvUJ/9q15b4E+vzjhAkdrih610XrA XjHkvbAd0xcQvmVz1C0UFhRIim2k0/Cjw7ZblQ5DLQMnC5mQNk/gyRUVoUmD9RB6 iEIysst+ym4GozUXYA87PggNtexl/X3bRu0Mp+325MZJxdipDBxQ9CjGPXMpHJdt hitw60qkvkBzJiarINxfUtZMuGkWKJhqzHwr06Zi3cvdKBwjdQRWzaXg3ysqX0yM bXQ0BjDqh0ylnxdlByHyDrseEnAf+ejc3vsjvvsTQDD0e2ew6yWnzSPvsml7I/GS VZGGKpcTbLiiYAT1010042+5eR91922Iw8LtULBKb9GyU5ThL31vgDhI0I5ut6tD nS9tVWiHkts= =WJ8P -----END PGP SIGNATURE-----