Multiple heap corruption vulnerabilities in FSA's command shell

Summary

Multiple instances of heap-based buffer overflow in the command shell of FortiSandbox may allow an authenticated attacker to manipulate memory and alter its content by means of specifically crafted command line arguments.

Affected Products

FortiSandbox 3.2.2 and below.
FortiSandbox 3.1.4 and below.

Solutions

Upgrade to FortiSandbox 4.0.0.
Upgrade to FortiSandbox 3.2.3.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.

Timeline

2021-08-03: Initial publication