Fortinet’s CVE makes you have questions? How many unknown vulnerabilities remain undiscovered in the REST API framework!(CVE-2021-2400 – 6th Sep 2021)

Preface: Dashboard, a popular design trend concept in the digital world.Dashboard, a popular design trend concept in the digital world.
As the cloud and the Internet of Things force the network to evolve. Even operational work and network security can be managed in the
same dashboard.

Background: Permission checks will typically use the authentication information in the request.user and request.auth properties to determine if the incoming request should be permitted.

One of the possibilities: If firewall administrator enable read-write JSON API access on FortiManager. As a result, it may encounter the following matter.
A slightly less strict style of permission would be to allow full access to authenticated users, but allow read-only access to unauthenticated users. This corresponds to the IsAuthenticatedOrReadOnly class in REST framework.

Vulnerability details: An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL.

Vendor announcement – https://www.fortiguard.com/psirt/FG-IR-20-061

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.