Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6362 FortiSandbox & FortiDeceptor - Insufficient logging and lack of limitation of failed authentication attempts 7 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiSandbox FortiDeceptor Publisher: Fortinet Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-30305 Original Bulletin: https://fortiguard.fortinet.com/psirt/FG-IR-21-170 Comment: CVSS (Max): 3.6 CVE-2022-30305 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) CVSS Source: Fortinet Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- FortiSandbox & FortiDeceptor - Insufficient logging and lack of limitation of failed authentication attempts IR Number : FG-IR-21-170 Date : Dec 6, 2022 Severity : Low CVSSv3 Score : 3.6 Impact : Improper access control CVE ID : CVE-2022-30305 Affected Products: FortiSandbox:4.0.2, 4.0.1, 4.0.0, 3.2.3, 3.2.2, 3.2.1, 3.2.0, 3.1.5, 3.1.4, 3.1.3, 3.1.2, 3.1.1, 3.1.0 FortiDeceptor:4.2.0, 4.1.1, 4.1.0, 4.0.2, 4.0.1, 4.0.0, 3.3.3, 3.3.2, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0, 3.0.2, 3.0.1, 3.0.0 Summary An insufficient logging [CWE-778] vulnerability in FortiSandbox and FortiDeceptor may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts. Affected Products FortiSandbox version 3.1.0 through 3.1.5 FortiSandbox version 3.2.0 through 3.2.3 FortiSandbox version 4.0.0 through 4.0.2 FortiDeceptor version 4.2.0 FortiDeceptor version 4.1.0 through 4.1.1 FortiDeceptor version 4.0.0 through 4.0.2 FortiDeceptor version 3.3.0 through 3.3.3 FortiDeceptor version 3.2.0 through 3.2.2 FortiDeceptor version 3.1.0 through 3.1.1 FortiDeceptor version 3.0.0 through 3.0.2 Solutions Please upgrade to FortiSandbox version 4.2.1 or above Please upgrade to FortiDeceptor version 4.3.0 or above Acknowledgement Fortinet is pleased to thank Mohamed Elobeid for reporting this vulnerability under responsible disclosure. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY4/sfskNZI30y1K9AQjKYw/9HcP4WfZZvXnqeS/mwqjRLDUdHO4rzpN2 OQrXICd9EJbgzdtSpjQnUBAqZKkS37Meq4SqcB7mCROxKztIP8lwaawts8vyoXVr oCfsnYvEdCJtLl42JKcPpU24SUPYy+S5cDqtwMgIZ/kj4u0aBjsAaOPLar1RwOjA JqesR7nAbs2xpcuhEMRKQwvI0KhB/VTpYjKoHfUoQyRanl5C7TewRna5ewUv1NRT PZipnGIMfeuswkAwIeKWpkimmZrgzfTO6Bp5GIusxsDknFGrc867pQc4EaLo5Uuf DmJhl2WPHdeYA7hcU5oR2l2j5Lse5c5aL1OpJesuiU33AxlHxPZgSBwDAyh4eJ1G gNBpvHL8YDPldnwpFwmJlstYmDwheFWO9uulw/EF30loY/AJX74uDUc2S1qOeu9R 32hQY2gUOLdMVwLobN7PaCy2Ntby+2XQlex0RjX9chMzx8ZZBsmlKDMuRThyxDe9 +2Itb5X/Ue1dIXMRmBrqRpTaF8GYgCCUyI3T+ZimBGxztGWYEniGhcAKgudH2V93 4a8dEmUIlo6x/9cTCrHtpZu38A57e2lPnYhvN1UL+xkly0uc0alYOz7KjDUTRxVa avcgzPOc4B3j35zwOBdVr4BQ7slqdgVaypEh3Gge3zycT8xAFlGlzshEfdtp5OPF TOvAWlrA/RM= =+T0f -----END PGP SIGNATURE-----