PSIRT Advisory

FortiOS HTTPD is vulnerable to a Stack-based Buffer Overflow vulnerability

Summary

A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS may allow an authenticated remote attacker to crash the service by sending a malformed PUT request to the server. Fortinet is not aware of any successful exploitation of this vulnerability that would lead to code execution.

Impact

Crash of the HTTPD service.

Affected Products

FortiOS versions 6.0.10 and below. FortiOS versions 6.2.2 and below.

Solutions

Please upgrade to FortiGate version 6.0.11 or above. Please upgrade to FortiGate version 6.2.3 or above. Please upgrade to FortiGate version 6.4.0 or above.

Acknowledgement

Fortinet is pleased to thank Cody Sixteen ( https://code610.blogspot.com/) for reporting this issue under responsible disclosure.