Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2380 FortiMail Increased Privileges - Remote With User Interaction 14 July 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiMail Publisher: Fortinet Operating System: Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-26099 CVE-2021-26095 CVE-2021-26091 CVE-2021-26090 CVE-2021-22129 CVE-2021-24015 CVE-2021-24007 CVE-2021-24020 CVE-2021-26100 Original Bulletin: https://fortiguard.com/psirt/FG-IR-21-019 https://fortiguard.com/psirt/FG-IR-20-244 https://fortiguard.com/psirt/FG-IR-21-031 https://fortiguard.com/psirt/FG-IR-21-042 https://fortiguard.com/psirt/FG-IR-21-023 https://fortiguard.com/psirt/FG-IR-21-021 https://fortiguard.com/psirt/FG-IR-21-012 https://fortiguard.com/psirt/FG-IR-21-027 https://fortiguard.com/psirt/FG-IR-21-003 Comment: This bulletin contains nine (9) Fortinet security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- FortiMail - Unauthenticated encryption in IBE leads to email plaintext recovery IR Number : FG-IR-21-003 Date : Jul 02, 2021 Risk : 3/5 CVSSv3 Score : 5.6 CVE ID : CVE-2021-26100 Affected Products: FortiMail: 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.11, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.13, 5.3.12, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.11, 5.0.10, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0 Summary A missing cryptographic step in FortiMail IBE may allow an unauthenticated attacker who intercepts the encrypted messages to manipulate them in such a way that makes the tampering and the recovery of the plaintexts possible. Affected Products FortiMail version 6.4.4 and below. FortiMail version 6.2.6 and below. Solutions Upgrade to FortiMail version 7.0.0. Fix for version 6.4 to be confirmed. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT. - -------------------------------------------------------------------------------- FortiMail - Improper cryptographic operations in cookie encryption potentially prone to forgery IR Number : FG-IR-21-019 Date : Jun 16, 2021 Risk : 3/5 CVSSv3 Score : 6.9 Impact : Elevation of privilege CVE ID : CVE-2021-26095 Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0 Summary The combination of various cryptographic issues in the session management of FortiMail, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges. Impact Elevation of privilege Affected Products FortiMail 6.4.4 and below. FortiMail 6.2.6 and below. Solutions Upgrade to FortiMail 7.0.0. Upgrade to FortiMail 6.4.5. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT Team. - -------------------------------------------------------------------------------- FortiMail - Improper use of cryptographic primitives in IBE KeyStore IR Number : FG-IR-20-244 Date : Jul 02, 2021 Risk : 3/5 CVSSv3 Score : 4.2 Impact : Information disclosure CVE ID : CVE-2021-26099 Affected Products: FortiMail: 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.11, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.13, 5.3.12, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.11, 5.0.10, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0 Summary Missing cryptographic steps in FortiMail IBE may allow an attacker who comes in possession of the encrypted master keys to compromise their confidentiality by observing a few invariant properties of the ciphertext. Impact Information disclosure Affected Products FortiMail version 6.4.4 and below. FortiMail version 6.2.6 and below. Solutions Upgrade to FortiMail version 7.0.0. Fix for version 6.4 to be confirmed. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT. - -------------------------------------------------------------------------------- FortiMail - Insecure PRNG in password and token generation scheme of IBE authentication IR Number : FG-IR-21-031 Date : Jun 21, 2021 Risk : 3/5 CVSSv3 Score : 6.9 Impact : Information disclosure CVE ID : CVE-2021-26091 Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0 Summary A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of FortiMail Identity Based Encryption service may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials. Impact Information disclosure Affected Products FortiMail 6.4.4 and below. FortiMail 6.2.6 and below. Solutions Upgrade to FortiMail 7.0.0. Upgrade to FortiMail 6.4.5. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT Team. - -------------------------------------------------------------------------------- FortiMail - Memory leak in Webmail IR Number : FG-IR-21-042 Date : Jun 16, 2021 Risk : 3/5 CVSSv3 Score : 5.3 Impact : Denial of service CVE ID : CVE-2021-26090 Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0 Summary A missing release of memory after its effective lifetime vulnerability (CWE-401) in FortiMail Webmail may allow an unauthenticated remote attacker to exhaust available memory via specifically crafted login requests. Impact Denial of service Affected Products FortiMail 6.4.4 and below, FortiMail 6.2.6 and below. Solutions Upgrade to FortiMail 7.0.0. Upgrade to FortiMail 6.4.5. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT Team. - -------------------------------------------------------------------------------- FortiMail - Multiple buffer overflows IR Number : FG-IR-21-023 Date : Jun 16, 2021 Risk : 4/5 CVSSv3 Score : 8.3 Impact : Remote code execution CVE ID : CVE-2021-22129 Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.13, 5.3.12, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.11, 5.0.10, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0 Summary Multiple instances of incorrect calculation of buffer size in FortiMail Webmail and Administrative interface may allow an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests. Impact Remote code execution Affected Products FortiMail 6.4.4 and below. FortiMail 6.2.6 and below. FortiMail 6.0.10 and below. FortiMail 5.4.12 and below. Solutions Upgrade to FortiMail 6.4.5 or above. Upgrade to FortiMail 6.2.7 or above. Upgrade to FortiMail 6.0.11 or above. 5.4 Fix to be confirmed. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT Team. - -------------------------------------------------------------------------------- FortiMail - OS Command injection IR Number : FG-IR-21-021 Date : Jun 16, 2021 Risk : 4/5 CVSSv3 Score : 7 Impact : Execute unauthorized code or commands CVE ID : CVE-2021-24015 Affected Products: FortiMail: 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.13, 5.3.12, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.11, 5.0.10, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0 Summary An improper neutralization of special elementsused in an OS Command vulnerability (CWE-78) in FortiMail's administrative interface may allow an authenticated attacker to execute unauthorized commands via specifically crafted HTTP requests. Impact Execute unauthorized code or commands Affected Products FortiMail 6.4.3 FortiMail 6.2.6 FortiMail 6.0.10 FortiMail 5.4.12 Solutions Upgrade to FortiMail 7.0.0. Upgrade to FortiMail 6.4.4. Upgrade to FortiMail 6.2.7. Upgrade to FortiMail 6.0.11. 5.4 Fix to be confirmed. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT. - -------------------------------------------------------------------------------- FortiMail - SQL Injection vulnerabilities IR Number : FG-IR-21-012 Date : Jun 21, 2021 Risk : 5/5 CVSSv3 Score : 9.3 Impact : Execute unauthorized code or commands CVE ID : CVE-2021-24007 Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.10, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.13, 5.3.12, 5.3.10, 5.3.9, 5.3.8, 5.3.7, 5.3.6, 5.3.5, 5.3.4, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.10, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.3, 5.1.2, 5.1.1, 5.1.0, 5.0.11, 5.0.10, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.1, 5.0.0 Summary Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail may allow a non-authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. Impact Execute unauthorized code or commands Affected Products FortiMail version 6.4.3 and below. FortiMail version 6.2.6 and below. FortiMail version 6.0.10 an below. FortiMail version 5.4.12 and below. Solutions Upgrade to version 6.4.4 or higher. Upgrade to version 6.2.7 or higher. Upgrade to version 6.0.11 or higher. 5.4 Fix to be confirmed. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT Team. - -------------------------------------------------------------------------------- FortiMail - Salted Digest vulnerable to length extension attacks IR Number : FG-IR-21-027 Date : Jun 21, 2021 Risk : 3/5 CVSSv3 Score : 6.9 Impact : Elevation of privileges CVE ID : CVE-2021-24020 Affected Products: FortiMail: 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0 Summary A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification. Impact Elevation of privileges Affected Products FortiMail 6.4.4 and below, FortiMail 6.2.6 and below. Solutions Upgrade to FortiMail version 7.0.0. Upgrade to FortiMail version 6.4.5. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT Team. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYO5vquNLKJtyKPYoAQj29RAAsE64/NVz5fyHOo6qi+ObxkdSKPYMP6O4 +p7bToNspT4kQYc+c0r+dRHgrlnhcWU6EOjMQlXx0xyAXxjrDPL3GUad1ylxjLgG iBzot2NuuEadwZMr8yVfU8NlzxRJG3rbPnA7XzMDgn6fBfKdUhgevk7rI09qmr7v ZhI8Os1hyFbNyU7EvGg2PjbokUcsCnoli5fED7G6+kDr/2PYHymrUjVbsqnWxW/H osbE9cGRXOAqq2plfXwrUhu9Nlf8tqzTcct2ZAJXWkLOSHepBSOxCJ0XuL42ERS7 cls+wxtjBvtmNjMQevZ3BLadKsMuVYHaUzlQqMLxSsXKWcfZfu/lolO8iboKz4HF Sq9N9WFNpM13dhhsdEl9k52t091fe0HJ0PSKPREqewn3kNNGXFx9asv/lK08DtyY nOLjJyeE2WVY1Yy03idXDcXbEZ913xPV+e3osUZLhvhdwmswXmFV11gXqR4JCF6V 2hzxEIPmUpKbR3ljxrYeftvNTqnzlhQpLHNay+Hs8Uji/Apdev4vsLtKqZSYSgbN RqqDid7/ja4y5Ej2oqpnyuBaUtOkedYOUY09pz5qou+tg2WxF3SIhHPCZraNnIU8 fYws2vnn7qkLZJ32tmrWWeKnj3OWE4eCAgisUzRAd2yLi4LunshINfyRoUtih7GG 47REIda0Be8= =nTeS -----END PGP SIGNATURE-----