Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2618 FortiSandbox and FortiAuthenticator login modules vulnerability 4 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiSandbox FortiAuthenticator Publisher: FortiGuard Labs Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-22124 Original Bulletin: https://fortiguard.com/psirt/FG-IR-20-170 - --------------------------BEGIN INCLUDED TEXT-------------------- Uncontrolled Resource Consumption (Unauthenticated Denial of Service) in login module IR Number : FG-IR-20-170 Date : Jul 30, 2021 Risk : 4/5 CVSSv3 Score : 7.3 Impact : Availability, Denial of Service CVE ID : CVE-2021-22124 Summary An uncontrolled resource consumption (denial of service) vulnerability in FortiSandbox and FortiAuthenticator login modules may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters. Impact Availability, Denial of Service Affected Products FortiSandbox 3.2.1 and below. FortiSandbox 3.1.4 and below. FortiSandbox 3.0.6 and below. FortiAuthenticator 6.0.5 and below. FortiAuthenticator 5.5.0 and below. FortiAuthenticator 5.4.1 and below. FortiAuthenticator 5.3.1 and below. FortiAuthenticator 5.2.2 and below. FortiAuthenticator 5.1.2 and below. FortiAuthenticator 5.0.0 and below. FortiAuthenticator 4.3.4 and below. Solutions Upgrade to FortiSandbox 4.0.0 or above. Upgrade to FortiSandbox 3.2.2 or above. Upgrade to FortiSandbox 3.1.5 or above. Upgrade to FortiSandbox 3.0.7 or above. Upgrade to FortiAuthenticator version 6.3.0 or above. Upgrade to FortiAuthenticator version 6.2.0 or above. Upgrade to FortiAuthenticator version 6.1.0 or above. Upgrade to FortiAuthenticator version 6.0.6 or above. Acknowledgement Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYQoSc+NLKJtyKPYoAQgOgBAAgqeCk9Y9Z60brMZZLseRyFnW6Doe+gwU 8EooqqZSxbbx0bGWnksbDp1nfZiiFQdoxpnZs0KAimRywJfFtI02pzDlsOASx1hw vPQlgfkgqs9Br5vxZxemCq2d5BjMKmqg+iKc0JfH89QFUgluR1DUSuDnCry+ky+s yK9maxzYxzAw0QdZHdIORPMG4QY+xV8wf+Nti319/Z5/n7Yr5OpC1UtfxFYAClBu OFoIJLWTy52rvo34/4TOBoONBASEUihRfv77UP94TyunJAOukj911UTWM/65aDbO 82u5/s7UoSsC5VLaRFbUpYDuI0kfeF7YeA3+nm2Eur0p0ezTx4tAe4DK78sLzwUJ Piamp3xn1BWrmPkpAvZLnM/9srF38+q0x6Ezy7onQbQ/3Jx1H/M4sdxxyTDZSuRL 73sPiU2qNOsW6YNiTOSWzVk+IzB/BVeN1bajHQ0VYvKf0f8PJ9aCRdi41h9pmFvq tCC69uCDgFI4livV33Low21hc9ePPO+CSqYh797CJJLtK9BK2EpNXboBiup3j1AV KooTPPFSyL9AH+AgJFJH8g0sqtGRF/AlVKMxzl057bFqcsyFQxO5K5TeooYYgadG r2GhH3ipOlYud8/NvR4X5/CbTvw8ifR1nTCY5QSDEWveBFL6sXC4a89/HR9z0sxj pCzYlwV2Lpo= =E/86 -----END PGP SIGNATURE-----