-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0399
              FortiManager TLS certificate validation failure
                             13 February 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FortiManager
Publisher:         FortiGuard
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-8495  

Original Bulletin: 
   http://fortiguard.com/advisory/FG-IR-16-055

- --------------------------BEGIN INCLUDED TEXT--------------------

FortiManager TLS certificate validation failure

Date

Feb 08 2017

CVE ID

CVE-2016-8495

FortiManager does not properly validate TLS certificates when probing for 
devices to administer. This leads to potential pre-shared secret exposure.

Impact

Credentials exposure

Affected Products

FortiManager 5.0.6 to 5.2.7 and 5.4.0 to 5.4.1.

Risk

High

Solutions

Upgrade to FMG 5.2.8 and 5.4.2

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWKD8T4x+lLeg9Ub1AQgqHw/+I4rmHwmK3W3OLxXEJa6RMGeM0fY/aNCz
pjdUEFnsevi2n0x3E+krP5gIuDxNaYWWlUXwtao3jCgVBSN+OF51IUdNpzBzb/D+
VH3S7ZiCARiaoWYT0hxGgWoloZPr71LeEgyh/EypOxp7pNSX8fbGaiNCijE3KxCl
ZIgTToKjwza9TI/9aoMiyOX8R5XVu1V51uZzjqEc4SvgH9Iw2IJRydzmsB7kqSKV
TFHo1Giv1SLrOI6vBFKImVyD6gy/qLLAI+hUQjY5qWq82+UMpdunuNzYMsY0BJpz
lRQ/YELDerslWk4mM8YB1weHKiZ0TkSeGcmkXotx0Jzu97RcQIWXB9aakpPHK+Ri
4Tc3LiiOIysCnldTGe1XF9AL6bgxFYu0q+Jkzf76niX5pvfwbdQWE+wsGcB7TW4x
3COR/Qkz/DfwrjEyUO0DS1kIwrU1LLpxpoeGYapKsYHG8hZY3AYsJMTYw92x0QL5
Srr+NPI/R09NWAGEY0dpnwPf0LKfOLV5fWgXRgJdUaZHL6ap+Euc/UbRcVPCZahi
rC3rM6GcDMb5GLrueot65Jr7XaZ2X4E77dqpDqfv7lesbzBnv7Dont9Jd6+abZlr
qMEuHL48VcgErOKm0wMW+hBbrcaabiQCcU5RJyBkgETInecSmhUM//K3Lkuz9aBN
5hHyOTM0Ov8=
=DZDV
-----END PGP SIGNATURE-----