Buffer Underwrite in firmware verification

Summary

A buffer underwrite (CWE-124) vulnerability in the firmware verification routine of FortiWeb, FortiOS, FortiSwitch, FortiADC, FortiAI, FortiManager, FortiAnalyzer, FortiProxy may allow an attacker located in the adjacent network to potentially execute arbitrary code via a specifically crafted firmware image.

Affected Products

FortiOS version 7.0.0
FortiOS version 6.4.0 through 6.4.6
FortiOS version 6.2.0 through 6.2.9
FortiOS version 6.0.0 through 6.0.13
FortiOS 5.6 all versions
FortiOS 5.4 all versions
FortiOS 5.2 all versions
FortiOS 5.0 all versions
At least
FortiNDR 1.5 all versions
FortiNDR 1.4 all versions
FortiNDR 1.3 all versions
FortiNDR 1.2 all versions
FortiNDR 1.1 all versions
FortiProxy version 7.0.0
FortiProxy 2.0 all versions
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions
At least
FortiVoice version 6.4.0 through 6.4.6
FortiVoice version 6.0.0 through 6.0.11
At least
FortiAnalyzer version 7.0.0 through 7.0.2
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer 6.2 all versions
FortiAnalyzer 6.0 all versions
FortiDDoS-F version 6.3.0
FortiDDoS-F version 6.2.0 through 6.2.2
FortiDDoS-F version 6.1.0 through 6.1.4
At least
FortiADC version 6.2.0 through 6.2.2
FortiADC version 6.1.0 through 6.1.5
FortiADC 6.0 all versions
FortiADC 5.4 all versions
FortiADC 5.3 all versions
FortiADC 5.2 all versions
FortiADC 5.1 all versions
FortiADC 5.0 all versions
At least
FortiDDoS version 5.5.0 through 5.5.1
FortiDDoS 5.4 all versions
FortiDDoS 5.3 all versions
FortiDDoS 5.2 all versions
FortiDDoS 5.1 all versions
FortiDDoS 5.0 all versions
FortiDDoS 4.7 all versions
FortiDDoS 4.6 all versions
FortiDDoS 4.5 all versions
FortiDDoS 4.4 all versions
At least
FortiManager version 7.0.0 through 7.0.2
FortiManager version 6.4.0 through 6.4.7
FortiManager 6.2 all versions
FortiManager 6.0 all versions
FortiWeb version 6.4.0 through 6.4.1
FortiWeb version 6.3.0 through 6.3.15
FortiWeb 6.2 all versions
FortiWeb 6.1 all versions
FortiWeb 6.0 all versions
FortiWeb 5.9 all versions
FortiWeb 5.8 all versions
FortiWeb 5.7 all versions
FortiWeb 5.6 all versions
FortiWeb 5.5 all versions
FortiWeb 5.4 all versions
FortiWeb 5.3 all versions
At least
FortiRecorder version 6.4.0 through 6.4.2
FortiRecorder version 6.0.0 through 6.0.10
FortiRecorder 2.7 all versions
FortiRecorder 2.6 all versions
At least
FortiSwitch version 7.0.0 through 7.0.2
FortiSwitch version 6.4.0 through 6.4.8
FortiSwitch 6.2 all versions
FortiSwitch 6.0 all versions

Solutions

Please upgrade to FortiWeb version 7.0.0 or above.
Please upgrade to FortiWeb version 6.4.2 or above.
Please upgrade to FortiWeb version 6.3.16 or above.
Please upgrade to FortiOS version 7.0.1 or above.
Please upgrade to FortiOS version 6.4.7 or above.
Please upgrade to FortiOS version 6.2.10 or above.
Please upgrade to FortiSwitch version 7.0.3 or above.
Please upgrade to FortiSwitch version 6.4.9 or above.
Please upgrade to FortiADC version 7.0.0 or above.
Please upgrade to FortiADC version 6.2.3 or above.
Please upgrade to FortiADC version 6.1.6 or above.
Please upgrade to FortiAI version 7.0.0 or above.
Please upgrade to FortiManager version 7.0.3 or above.
Please upgrade to FortiManager version 6.4.8 or above.
Please upgrade to FortiAnalyzer version 7.0.3 or above.
Please upgrade to FortiAnalyzer version 6.4.8 or above.
Please upgrade to FortiProxy version 2.0.8 or above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.