PSIRT Advisory

FortiOS SSL VPN buffer overrun through POST message payload

Summary

Failure to properly parse message payloads in the SSL VPN portal of FortiOS may allow a non-authenticated attacker to perform a Denial of Service attack via exploiting a buffer overflow.

Impact

Denial-of-Service Attack (DoS)

Affected Products

FortiOS 6.0.0 to 6.0.4

FortiOS 5.6.0 to 5.6.7

FortiOS 5.4 and below

Solutions

Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0

Workarounds:

Disable the SSL-VPN web portal service by applying the following CLI commands:

For FortiOS 5.0 and below branches:

config vpn ssl settings
set sslvpn-enable disable
end

For FortiOS 5.2 and above branches:

config vpn ssl settings
unset source-interface
end

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.