config system globalset admin-forticloud-sso-login disableendAffected applications should then be updated to the latest versions, and SSO re-enabled.Robert Beggs, head of Canadian-based incident response firm DigitalDefence, said that fortunately the vulnerability was identified by FortiGuard’s internal team. “If it had been announced by a third party, then it would have been more likely a vulnerability that was being actively exploited in the wild,” he observed. “It appears that this may have been identified in time to get a warning out and minimize potential compromises.”The fact that a pair of vulnerabilities affects a number of a manufacturer’s offerings shows the downside of having a shared code base for their products, Beggs added. While on the one hand, it allows the vendor to rapidly scale the number and functionality of products and to ensure integrated operation, on the other hand, the codebase becomes a single point of failure. These FortiGuard issues demonstrate both sides of the coin.”The vulnerability is critical, and security teams must apply the recommended steps,” he said.Fortinet was asked for comment, but did not respond by publication time.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4104499/fortinet-admins-urged-to-update-software-to-close-forticloud-sso-holes.html
