FortiOS - Buffer Underwrite in firmware verification

FortiOS - Buffer Underwrite in firmware verification

Summary

A buffer underwrite (CWE-124) vulnerability in the firmware verification routine of FortiOS may allow an attacker located in the adjacent network to potentially execute arbitrary code via a specifically crafted firmware image.


Note:

The vulnerability could be "exploited" by an attacker who has already gained a foothold into the perimeter, namely on the tftp/ftp server that distributes the installation images. Management stations and external USB sticks could also be abused to deliver spurious images, therefore care must be taken in ascertaining their origin.

FortiGate F and E models released in 2019 and later are able to interrupt the installation of corrupted images thanks to an additional image signature verification.

Affected Products

FortiOS version 7.0.0.
FortiOS version 6.4.6 and below.

Solutions

Upgrade to FortiOS 7.0.1 or above.

Upgrade to FortiOS 6.4.7 or above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.