PSIRT Advisories

Buffer Underwrite in firmware verification

Summary

A buffer underwrite (CWE-124) vulnerability in the firmware verification routine of FortiAnalyzer, FortiManager, FortiNDR, FortiOS, FortiWeb, FortiSwitch, FortiProxy, FortiADC may allow an attacker located in the adjacent network to potentially execute arbitrary code via a specifically crafted firmware image.


Note:

The vulnerability could be "exploited" by an attacker who has already gained a foothold into the perimeter, namely on the tftp/ftp server that distributes the installation images. Management stations and external USB sticks could also be abused to deliver spurious images, therefore care must be taken in ascertaining their origin.

FortiGate F and E models released in 2019 and later are able to interrupt the installation of corrupted images thanks to an additional image signature verification.

Affected Products

FortiOS version 7.0.0.
FortiOS version 6.4.6 and below.
FortiOS version 6.2.9 and below.

FortiWeb 6.4.1 and below.
FortiWeb 6.3.15 and below.
FortiWeb 6.2.5 and below.
FortiWeb 6.1.2 and below.
FortiWeb 6.0.7 and below.
FortiWeb 5.9.2 and below.

FortiSwitch version 7.0.2 and below,
FortiSwitch version 6.4.8 and below,
FortiSwitch version 6.2.7 and below,
FortiSwitch version 6.0.7 to 6.0.0.

FortiProxy version 1.0.0 through 1.0.7
FortiProxy version 1.1.0 through 1.1.6
FortiProxy version 1.2.0 through 1.2.13
FortiProxy version 2.0.0 through 2.0.7
FortiAnalyzer version 6.0.0 through 6.0.11
FortiAnalyzer version 6.2.0 through 6.2.9
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer version 7.0.0 through 7.0.2
FortiADC version 5.0.0 through 5.0.4
FortiADC version 5.1.0 through 5.1.7
FortiADC version 5.2.0 through 5.2.8
FortiADC version 5.3.0 through 5.3.7
FortiADC version 5.4.0 through 5.4.5
FortiADC version 6.0.0 through 6.0.4
FortiADC version 6.1.0 through 6.1.5
FortiADC version 6.2.0 through 6.2.2
FortiNDR version 1.1.0
FortiNDR version 1.2.0
FortiNDR version 1.3.0 through 1.3.1
FortiNDR version 1.4.0
FortiNDR version 1.5.0 through 1.5.3
FortiManager version 6.0.0 through 6.0.11
FortiManager version 6.2.0 through 6.2.9
FortiManager version 6.4.0 through 6.4.7
FortiManager version 7.0.0 through 7.0.2

Solutions

Upgrade to FortiAnalyzer 7.0.3 or above.
Upgrade to FortiAnalyzer 6.4.8 or above.
Upgrade to FortiManager 7.0.3 or above.
Upgrade to FortiManager 6.4.8 or above.
Upgrade to FortiNDR 7.0.0 or above.
Upgrade to FortiOS 7.0.1 or above.
Upgrade to FortiOS 6.4.7 or above.
Upgrade to FortiOS 6.2.10 or above.

Upgrade to FortiWeb 7.0.0 or above.
Upgrade to FortiWeb 6.4.2 or above.
Upgrade to FortiWeb 6.3.16 or above.
Upgrade to FortiADC 7.0.0 or above.
Upgrade to FortiADC 6.2.3 or above.
Upgrade to FortiADC 6.1.6 or above.
Upgrade to FortiSwitch 7.0.3 or above.
Upgrade to FortiSwitch 6.4.9 or above.

Upgrade to FortiProxy 2.0.8 or above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.