FortiOS - Buffer overflow in TFTP client library of CLI

Summary

A buffer overflow [CWE-121] in the TFTP client library of FortiOS, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments.

Version Affected Solution
FortiADC 7.0 Not affected Not Applicable
FortiADC 6.2 6.2.0 through 6.2.2 Upgrade to 6.2.3 or above
FortiADC 6.1 6.1.0 through 6.1.5 Upgrade to 6.1.6 or above
FortiADC 6.0 6.0 all versions Migrate to a fixed release
FortiADC 5.4 5.4 all versions Migrate to a fixed release
FortiADC 5.3 5.3 all versions Migrate to a fixed release
FortiADC 5.2 5.2 all versions Migrate to a fixed release
FortiADC 5.1 5.1 all versions Migrate to a fixed release
FortiADC 5.0 5.0 all versions Migrate to a fixed release
FortiAnalyzer 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above
FortiAnalyzer 6.4 6.4.0 through 6.4.7 Upgrade to 6.4.8 or above
FortiAnalyzer 6.2 6.2 all versions Migrate to a fixed release
FortiAnalyzer 6.0 6.0 all versions Migrate to a fixed release
FortiDDoS 5.6 Not affected Not Applicable
FortiDDoS 5.5 5.5.0 through 5.5.1 Upgrade to 5.5.2 or above
FortiDDoS 5.4 5.4 all versions Migrate to a fixed release
FortiDDoS 5.3 5.3 all versions Migrate to a fixed release
FortiDDoS 5.2 5.2 all versions Migrate to a fixed release
FortiDDoS 5.1 5.1 all versions Migrate to a fixed release
FortiDDoS 5.0 5.0 all versions Migrate to a fixed release
FortiDDoS 4.7 4.7 all versions Migrate to a fixed release
FortiDDoS 4.6 4.6 all versions Migrate to a fixed release
FortiDDoS 4.5 4.5 all versions Migrate to a fixed release
FortiDDoS 4.4 4.4 all versions Migrate to a fixed release
FortiDDoS-F 6.4 6.4.0 through 6.4.1 Upgrade to 6.4.2 or above
FortiDDoS-F 6.3 6.3.0 Upgrade to 6.3.1 or above
FortiDDoS-F 6.2 6.2.0 through 6.2.2 Upgrade to 6.2.3 or above
FortiDDoS-F 6.1 6.1.0 through 6.1.4 Upgrade to 6.1.5 or above
FortiMail 7.2 Not affected Not Applicable
FortiMail 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above
FortiMail 6.4 6.4.0 through 6.4.6 Upgrade to 6.4.7 or above
FortiMail 6.2 6.2.0 through 6.2.7 Migrate to a fixed release
FortiMail 6.0 6.0 all versions Migrate to a fixed release
FortiMail 5.4 5.4 all versions Migrate to a fixed release
FortiManager 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above
FortiManager 6.4 6.4.0 through 6.4.7 Upgrade to 6.4.8 or above
FortiManager 6.2 6.2 all versions Migrate to a fixed release
FortiManager 6.0 6.0 all versions Migrate to a fixed release
FortiNDR 7.0 Not affected Not Applicable
FortiNDR 1.5 1.5.0 through 1.5.2 Migrate to a fixed release
FortiNDR 1.4 1.4 all versions Migrate to a fixed release
FortiNDR 1.3 1.3 all versions Migrate to a fixed release
FortiNDR 1.2 1.2 all versions Migrate to a fixed release
FortiNDR 1.1 1.1 all versions Migrate to a fixed release
FortiOS 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above
FortiOS 6.4 6.4.0 through 6.4.7 Upgrade to 6.4.8 or above
FortiOS 6.2 6.2.0 through 6.2.9 Upgrade to 6.2.10 or above
FortiOS 6.0 6.0.0 through 6.0.13 Upgrade to 6.0.14 or above
FortiOS 5.6 5.6 all versions Migrate to a fixed release
FortiOS 5.4 5.4 all versions Migrate to a fixed release
FortiOS 5.2 5.2 all versions Migrate to a fixed release
FortiOS 5.0 5.0 all versions Migrate to a fixed release
FortiOS-6K7K 6.4 6.4.6 Upgrade to 6.4.8 or above
FortiOS-6K7K 6.4 6.4.2 Upgrade to 6.4.8 or above
FortiOS-6K7K 6.2 6.2.6 through 6.2.7 Upgrade to 6.2.9 or above
FortiOS-6K7K 6.2 6.2.4 Upgrade to 6.2.9 or above
FortiOS-6K7K 6.0 6.0.12 through 6.0.17 Migrate to a fixed release
FortiOS-6K7K 6.0 6.0.10 Migrate to a fixed release
FortiPortal 6.0 6.0.0 through 6.0.10 Upgrade to 6.0.11 or above
FortiPortal 5.3 5.3 all versions Migrate to a fixed release
FortiPortal 5.2 5.2 all versions Migrate to a fixed release
FortiPortal 5.1 5.1 all versions Migrate to a fixed release
FortiPortal 5.0 5.0 all versions Migrate to a fixed release
FortiProxy 7.0 7.0.0 through 7.0.1 Upgrade to 7.0.2 or above
FortiProxy 2.0 2.0.0 through 2.0.7 Upgrade to 2.0.8 or above
FortiProxy 1.2 1.2 all versions Migrate to a fixed release
FortiProxy 1.1 1.1 all versions Migrate to a fixed release
FortiProxy 1.0 1.0 all versions Migrate to a fixed release
FortiRecorder 7.0 Not affected Not Applicable
FortiRecorder 6.4 6.4.0 through 6.4.2 Upgrade to 6.4.3 or above
FortiRecorder 6.0 6.0.0 through 6.0.10 Upgrade to 6.0.11 or above
FortiRecorder 2.7 2.7.0 through 2.7.7 Upgrade to 2.7.8 or above
FortiRecorder 2.6 2.6 all versions Migrate to a fixed release
FortiSwitch 7.2 Not affected Not Applicable
FortiSwitch 7.0 7.0.0 through 7.0.3 Upgrade to 7.0.4 or above
FortiSwitch 6.4 6.4.0 through 6.4.9 Upgrade to 6.4.10 or above
FortiSwitch 6.2 6.2.0 through 6.2.7 Migrate to a fixed release
FortiSwitch 6.0 6.0 all versions Migrate to a fixed release
FortiVoice 6.4 6.4.0 through 6.4.4 Upgrade to 6.4.5 or above
FortiVoice 6.0 6.0.0 through 6.0.10 Upgrade to 6.0.11 or above
FortiWeb 7.0 Not affected Not Applicable
FortiWeb 6.4 6.4.0 through 6.4.1 Upgrade to 6.4.2 or above
FortiWeb 6.3 6.3.0 through 6.3.16 Upgrade to 6.3.17 or above
FortiWeb 6.2 6.2 all versions Migrate to a fixed release
FortiWeb 6.1 6.1 all versions Migrate to a fixed release
FortiWeb 6.0 6.0 all versions Migrate to a fixed release
FortiWeb 5.9 5.9 all versions Migrate to a fixed release
FortiWeb 5.8 5.8 all versions Migrate to a fixed release
FortiWeb 5.7 5.7 all versions Migrate to a fixed release
FortiWeb 5.6 5.6 all versions Migrate to a fixed release
FortiWeb 5.5 5.5 all versions Migrate to a fixed release
FortiWeb 5.4 5.4 all versions Migrate to a fixed release
FortiWeb 5.3 5.3 all versions Migrate to a fixed release
FortiWeb 5.2 5.2 all versions Migrate to a fixed release
FortiWeb 5.1 5.1 all versions Migrate to a fixed release
FortiWeb 5.0 5.0 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.