PSIRT Advisories

Uncontrolled Resource Consumption (Unauthenticated Denial of Service) in login module

Summary

An uncontrolled resource consumption (denial of service) vulnerability in FortiSandbox and FortiAuthenticator login modules may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters.

Affected Products

FortiSandbox version 3.0.0 through 3.0.6
FortiSandbox version 3.1.0 through 3.1.4
FortiSandbox version 3.2.0 through 3.2.1

FortiAuthenticator version 4.3.0 through 4.3.4
FortiAuthenticator version 5.0.0
FortiAuthenticator version 5.1.0 through 5.1.2
FortiAuthenticator version 5.2.0 through 5.2.2
FortiAuthenticator version 5.3.0 through 5.3.1
FortiAuthenticator version 5.4.0 through 5.4.1
FortiAuthenticator version 5.5.0
FortiAuthenticator version 6.0.0 through 6.0.5

Solutions

Upgrade to FortiSandbox 4.0.0 or above.
Upgrade to FortiSandbox 3.2.2 or above.
Upgrade to FortiSandbox 3.1.5 or above.
Upgrade to FortiSandbox 3.0.7 or above.

Upgrade to FortiAuthenticator version 6.3.0 or above.
Upgrade to FortiAuthenticator version 6.2.0 or above.
Upgrade to FortiAuthenticator version 6.1.0 or above.
Upgrade to FortiAuthenticator version 6.0.6 or above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.