PSIRT Advisories

Denial of Service vulnerability impacts the SSL VPN service of FortiOS and FortiProxy.

Summary

An Improper Input Validation vulnerability in the SSL VPN portal of FortiOS and FortiProxy may allow an unauthenticated remote attacker to crash the SSL VPN service by sending a crafted POST request.

Affected Products

FortiOS versions 6.2.1 and below.

FortiOS versions 6.0.6 and below.

At least

FortiProxy version 1.0.0 through 1.0.7

FortiProxy version 1.1.0 through 1.1.6

FortiProxy version 1.2.0 through 1.2.13

FortiProxy version 2.0.0 through 2.0.8

Solutions

Please upgrade to FortiOS version 6.2.2 and above.

Please upgrade to FortiOS version 6.0.7 and above. 

Please upgrade to FortiProxy version 7.0.0 or above.

Please upgrade to FortiProxy version 2.0.9 or above.

Acknowledgement

Fortinet is pleased to thank Qingtang Zheng from CodeSafe Team of Legendsec at Qi'anXin Group for bringing this issue to our attention under responsible disclosure.