Fortinet released security fix for the vulnerability — Security ByPass
CVE-2021-22128 — FortiProxy SSL VPN
FortiProxy — a secure web proxy that protects employees against internet-borne attacks by incorporating multiple detection techniques.
Techniques such as web filtering, DNS filtering, data loss prevention, antivirus, intrusion prevention and advanced threat protection.
However, Fortinet PSIRT Team discovered a security bypass vulnerability was found in Fortinet FortiProxy SSL VPN.
Vulnerability Description:
An improper access control vulnerability in FortiProxy SSL VPN portal 2.0.0, 1.2.9 and below versions may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality.
However, Successful exploitation can enable an attacker to access internal service.
Affected Products
Here the vulnerable FortiProxy version are:
- v2.0.0
- v1.2.9 and below
- v1.1.6 and below
- v1.0.7 and below
Severity
Also, the vulnerability is considered as MEDIUM severity with below base score:
CVSSv3 Score | 6.9 |
Solutions
According to Fortinet PSIRT Team, recommended to upgrade FortiProxy to
- versions 2.0.1 or above
- versions 1.2.10 or above.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment