Multiple vulnerabilities in Fortinet FortiMail



Risk High
Patch available YES
Number of vulnerabilities 10
CVE-ID CVE-2021-26099
CVE-2021-26100
CVE-2021-24020
CVE-2021-24007
CVE-2021-24015
CVE-2021-26090
CVE-2021-26091
CVE-2021-26095
CVE-2021-24013
CVE-2021-22129
CWE-ID CWE-325
CWE-89
CWE-78
CWE-401
CWE-338
CWE-326
CWE-22
CWE-119
Exploitation vector Network
Public exploit N/A
Vulnerable software
Fortinet FortiMail
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor Fortinet, Inc

Security Bulletin

This security bulletin contains information about 10 vulnerabilities.

1) Missing Required Cryptographic Step

EUVDB-ID: #VU54791

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-26099

CWE-ID: CWE-325 - Missing Required Cryptographic Step

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing cryptographic steps in FortiMail IBE. A remote attacker who comes in possession of the encrypted master keys can compromise their confidentiality by observing a few invariant properties of the ciphertext.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiMail: 5.0 - 6.4.4

CPE2.3 External links

http://fortiguard.com/advisory/FG-IR-20-244


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Missing Required Cryptographic Step

EUVDB-ID: #VU54790

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-26100

CWE-ID: CWE-325 - Missing Required Cryptographic Step

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a missing cryptographic step in FortiMail IBE. A remote attacker who intercepts the encrypted messages can manipulate them in such a way that makes the tampering and the recovery of the plaintexts possible.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiMail: 5.0 - 6.4.4

CPE2.3 External links

http://fortiguard.com/advisory/FG-IR-21-003


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Missing required cryptographic step

EUVDB-ID: #VU54787

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-24020

CWE-ID: CWE-325 - Missing Required Cryptographic Step

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass signature verification.

The vulnerability exists due to a missing cryptographic step in the implementation of the hash digest algorithm in FortiMail. A remote non-authenticated attacker can tamper with signed URLs by appending further data which allows bypass of signature verification.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiMail: 6.2.0 - 6.4.4

CPE2.3 External links

http://fortiguard.com/advisory/FG-IR-21-027


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) SQL injection

EUVDB-ID: #VU54784

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-24007

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiMail: 5.0 - 6.4.3

CPE2.3 External links

http://fortiguard.com/advisory/FG-IR-21-012


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) OS Command Injection

EUVDB-ID: #VU54779

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-24015

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in FortiMail administrative interface. A remote authenticated user can send a specially crafted HTTP request and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiMail: 5.0.0 - 6.4.3

CPE2.3 External links

http://fortiguard.com/advisory/FG-IR-21-021


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory leak

EUVDB-ID: #VU54776

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-26090

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in FortiMail Webmail. A remote attacker can exhaust available memory resources via specifically crafted login requests.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiMail: 6.4.0 - 6.4.4

CPE2.3 External links

http://fortiguard.com/advisory/FG-IR-21-042


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Use of cryptographically weak pseudo-random number generator (PRNG)

EUVDB-ID: #VU54775

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-26091

CWE-ID: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Exploit availability: No

Description

The vulnerability allows a remote attacker to reset credentials of other users.

The vulnerability exists due to usage of weak pseudo-random number generator in the authenticator of FortiMail Identity Based Encryption service. A remote attacker can infer parts of users authentication tokens and reset their credentials.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiMail: 6.2.0 - 6.4.4

CPE2.3 External links

http://www.fortiguard.com/psirt/FG-IR-21-031


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Inadequate encryption strength

EUVDB-ID: #VU54772

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-26095

CWE-ID: CWE-326 - Inadequate Encryption Strength

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to a combination of various cryptographic issues in the session management of FortiMail, including the encryption construction of the session cookie. A remote user with possession of a valid session cookie can decrypt it and reveal or alter its content.

Successful exploitation of the vulnerability may allow an attacker to escalate privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiMail: 6.2.0 - 6.4.4

CPE2.3 External links

http://www.fortiguard.com/psirt/FG-IR-21-019


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Path traversal

EUVDB-ID: #VU54731

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-24013

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user  can send a specially crafted HTTP request and read arbitrary files on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Fortinet FortiMail: 5.0.0 - 6.4.3

CPE2.3 External links

http://fortiguard.com/advisory/FG-IR-21-014


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Buffer overflow

EUVDB-ID: #VU54728

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22129

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to multiple boundary errors within the FortiMail Webmail and Administrative interfaces. A remote authenticated user can send a specially crafted HTTP request, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiMail: 5.0.0 - 6.4.4

CPE2.3 External links

http://fortiguard.com/advisory/FG-IR-21-023


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###