Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3059 FortiOS reveals platform information without authentication 12 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS Publisher: Fortinet Operating System: Network Appliance Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-13367 Original Bulletin: https://fortiguard.com/psirt/FG-IR-18-173 - --------------------------BEGIN INCLUDED TEXT-------------------- IR Number : FG-IR-18-173 Date : Aug 08, 2019 Risk : 1/5 Impact : Information Disclosure CVE ID : CVE-2018-13367 Summary An information exposure vulnerability in FortiOS WEB UI may allow an unauthenticated attacker to gain platform information such as version, via parsing a JavaScript file. Impact Information Disclosure Affected Products FortiOS 6.2.0 and below Solutions Upgrade to FortiOS 6.2.1 or above Acknowledgement Fortinet is pleased to thank Alp Hisim of Biznet Bilisim (www.biznet.com.tr) and an independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting this vulnerability under responsible disclosure. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVC7sWaOgq3Tt24GAQjGIw/+P1NQVsa5aJlPaVh2xCKDw98nXDNwqyDn rXev+5lox5erhnw+59v8pmGBLU8iraacVT38IGFWMYyZ2ebalo0HAvCKf3Vyq4G5 B4reXon/dywBIDFlqE29IfKnTHGRkmCpC/soYYOtULEgxo/ng+6WJy+4eyKzK2lB qO+5GqqObgCq5k+U3ldgjA0dPyU7CUizAG1vz+5u7+g5wjstbjQX1TqTsgo39GXl eJcy7zFoOgQDu5CvaT94diDyAh20gF+BrbM/S6B/bUglbccsG2XC+BdEiEEJR5Tv PueAuS8sZQXWrmwoVdJoldowdq3OnFxN72OBTsOEp6/dlpNgDvEFgZtYcfEm9yXF vqypQ6i7OYIPiWnMf1OmwRy0q+G+8UCmLw5dP5px1rZlC/ChwYrWvgtndWUhS51p bkqbl0aQ+6xYeyPBniHuJGtxlnxe6Ta3+kttOjuRcUp2XQUKzVI6cmllij4PLyyA 476oS3nuiaTCPPf6dtVZqKeIDejQgnPjQBM8252dkDt4/RpA8u1giaMzU5xfgmdv gbmoAHBG7ADsWG444CCVpMdy+RQuGow1/7hMpVbggkXlJpbSoiBRNEESsWxtlwcY 7xqvbMQjAPtZQHv5JfeUVdgDlz8DmRt9mS0JYuH2ugnKJ7wDySb7BTc7jL8g+PhI /BqbFPCvHOs= =I+3y -----END PGP SIGNATURE-----