CVE-2023-42787: 
Fortinet FortiManager vulnerability analysis and mitigation

A client-side enforcement of server-side security vulnerability (CVE-2023-42787) was discovered in Fortinet FortiManager and FortiAnalyzer. The vulnerability was disclosed on October 10, 2023, affecting FortiManager version 7.4.0 and versions before 7.2.3, as well as FortiAnalyzer version 7.4.0 and versions before 7.2.3. This security flaw was identified by security researchers from Orange Cyberdéfense and Orange CERT-CC (Fortinet Advisory).

The vulnerability is classified as CWE-602 (Client-Side Enforcement of Server-Side Security) with a CVSS v3.1 base score of 6.5 MEDIUM. The vulnerability stems from improper server-side control on the JSConsole usage for low-privileged users and insufficient permission control for sensitive JSConsole commands. The technical assessment reveals that the flaw can be exploited through client-side code execution, allowing unauthorized access to privileged web console features (Orange Advisory, NVD).

The vulnerability allows a remote attacker with low privileges to access sensitive configuration information, including encrypted passwords and certificates, concerning all registered FortiGate devices, regardless of ADOM segmentation. This represents a significant breach of access control mechanisms, potentially exposing confidential system information to unauthorized users (Orange Advisory).

Fortinet has released security patches to address this vulnerability. FortiManager users should upgrade to version 7.4.1 or above for 7.4.x versions, 7.2.4 or above for 7.2.x versions, and 7.0.10 or above for 7.0.x versions. FortiAnalyzer users should upgrade to version 7.2.6 or above for 7.2.x versions, while users of versions 7.0.x, 6.4.x, and 6.2.x should migrate to a fixed release (Fortinet Advisory).