Fortinet Products Authentication Bypass Vulnerability via FortiCloud SSO

A vulnerability allowing authentication bypass through FortiCloud Single Sign-On (SSO) has been identified in multiple Fortinet products, including FortiAnalyzer, FortiManager, FortiOS, and FortiProxy. This vulnerability affects several versions within the 7.x series, excluding FortiAnalyzer and FortiManager 6.4, which are not affected. The issue arises when FortiCloud SSO authentication is enabled, allowing an attacker with a FortiCloud account and a registered device to log into other devices registered to different accounts. The vulnerability was exploited in the wild, leading Fortinet to temporarily disable FortiCloud SSO authentication before restoring it with restrictions for vulnerable devices.

Impact

Exploitation of this vulnerability allows unauthorized access to devices, with the attacker able to log in as an administrator and create a local admin account for persistence. This access can be used to download customer configuration files and potentially modify device settings.

Remediation

Fortinet has advised users to upgrade to the latest versions of their products. For FortiAnalyzer, FortiManager, and FortiOS, users should upgrade to the upcoming versions 7.6.6, 7.4.10, 7.2.13, or 7.0.19. FortiProxy users should upgrade to version 7.6.6 or 7.4.13, depending on their current version. After upgrading, FortiCloud SSO authentication will function properly again. If IOCs of exploitation are found, Fortinet recommends treating the system as compromised, restoring a clean configuration, and auditing for unauthorized changes.