07.08.2022
Fortinet Patches Released
Date of Notice: 07/08/2022
Action Level - High
Description
MCNC would like to make you aware of multiple Fortinet vulnerabilities which have recently had patches released. A FortiClient vulnerability could let an attacker gain SYSTEM privileges and a FortiOS vulnerability could let an attacker execute CLI commands on multiple Fortinet devices. Other Fortinet vulnerabilities have been patched so it is strongly recommended you review your Forti environment and update/patch as needed.
Affected Devices
- FortiClient
- FortiClientWindows version 7.0.0 through 7.0.2
- FortiClientWindows version 6.4.0 through 6.4.6
- FortiClientWindows version 6.2.0 through 6.2.9
- FortiManager
- FortiManager version 5.6.0 through 5.6.11
- FortiManager version 6.0.0 through 6.0.11
- FortiManager version 6.2.0 through 6.2.9
- FortiManager version 6.4.0 through 6.4.7
- FortiManager version 7.0.0 through 7.0.2
- FortiOS
- FortiOS version 6.0.0 through 6.0.14
- FortiOS version 6.2.0 through 6.2.10
- FortiOS version 6.4.0 through 6.4.8
- FortiOS version 7.0.0 through 7.0.5
Attack Vector:
- CVE-2021-41031 (FortiClient)
- Local unprivileged attacker
- CVE-2021-43072 (FortiOS and other devices)
- Network, ability to access via tftp.
Attack Feasibility
Many of these vulnerabilities are easily exploited but no current known exploit is available.
Mitigations
- CVE-2021-41031 (FortiClient)
- None, you must only allow trusted users to access a given device until the patch is applied.
- CVE-2021-43072 (FortiOS and other devices)
- Ensure tftp is blocked at the network level or network access to the device is appropriately restricted.
Remediations
Update to the versions specific in the vendor documentation below
Vendor Resources
- Fortinet PSIRT Advisory - CVE-2021-41031
- Fortinet PSIRT Advisory - CVE-2021-43072