FortiOS - Buffer overflow in TFTP client library of CLI

Summary

A buffer overflow [CWE-121] in the TFTP client library of FortiOS, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments.

Affected Products

At least
FortiWeb version 6.4.0 through 6.4.1
FortiWeb version 6.3.0 through 6.3.16
FortiWeb 6.2 all versions
FortiWeb 6.1 all versions
FortiWeb 6.0 all versions
FortiWeb 5.9 all versions
FortiWeb 5.8 all versions
FortiWeb 5.7 all versions
FortiWeb 5.6 all versions
FortiWeb 5.5 all versions
FortiWeb 5.4 all versions
FortiWeb 5.3 all versions
FortiWeb 5.2 all versions
FortiWeb 5.1 all versions
FortiWeb 5.0 all versions
At least
FortiProxy version 7.0.0 through 7.0.1
FortiProxy version 2.0.0 through 2.0.7
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions
FortiNDR version 1.5.0 through 1.5.2
FortiNDR 1.4 all versions
FortiNDR 1.3 all versions
FortiNDR 1.2 all versions
FortiNDR 1.1 all versions
At least
FortiVoiceEnterprise version 6.4.0 through 6.4.4
FortiVoiceEnterprise version 6.0.0 through 6.0.10
FortiAnalyzer version 7.0.0 through 7.0.2
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer 6.2 all versions
FortiAnalyzer 6.0 all versions
At least
FortiSwitch version 7.0.0 through 7.0.3
FortiSwitch version 6.4.0 through 6.4.9
FortiSwitch 6.2 all versions
FortiSwitch 6.0 all versions
At least
FortiRecorder version 6.4.0 through 6.4.2
FortiRecorder version 6.0.0 through 6.0.10
FortiRecorder 2.7 all versions
FortiRecorder 2.6 all versions
FortiOS version 7.0.0 through 7.0.2
FortiOS version 6.4.0 through 6.4.7
FortiOS version 6.2.0 through 6.2.9
FortiOS version 6.0.0 through 6.0.13
FortiOS 5.6 all versions
FortiOS 5.4 all versions
FortiOS 5.2 all versions
FortiOS 5.0 all versions
FortiOS-6K7K 6.4.6 and 6.4.2.
FortiOS-6K7K 6.2.8 and below.
At least
FortiADC version 6.2.0 through 6.2.2
FortiADC version 6.1.0 through 6.1.5
FortiADC 6.0 all versions
FortiADC 5.4 all versions
FortiADC 5.3 all versions
FortiADC 5.2 all versions
FortiADC 5.1 all versions
FortiADC 5.0 all versions
At least
FortiManager version 7.0.0 through 7.0.2
FortiManager version 6.4.0 through 6.4.7
FortiManager 6.2 all versions
FortiManager 6.0 all versions
At least
FortiPortal version 6.0.0 through 6.0.10
FortiPortal 5.3 all versions
FortiPortal 5.2 all versions
FortiPortal 5.1 all versions
FortiPortal 5.0 all versions
At least
FortiMail version 7.0.0 through 7.0.2
FortiMail version 6.4.0 through 6.4.6
FortiMail version 6.2.0 through 6.2.7
FortiMail 6.0 all versions
FortiMail 5.4 all versions

Solutions

Upgrade to FortiOS 7.0.3 or above,
Upgrade to FortiOS 6.4.8 or above,
Upgrade to FortiOS 6.2.10 or above,
Upgrade to FortiOS 6.0.14 or above.
Upgrade to FortiOS-6K7K 6.2.9 or above.
Upgrade to FortiOS-6K7K 6.4.8 or above.
Upgrade to FortiADC 7.0.1 or above.
Upgrade to FortiADC 6.2.3 or above.
Upgrade to FortiADC 6.1.6 or above.
Upgrade to FortiAnalyzer 7.0.3 or above.
Upgrade to FortiAnalyzer 6.4.8 or above.
Upgrade to FortiManager 7.0.3 or above,
Upgrade to FortiManager 6.4.8 or above,
Upgrade to FortiNDR 7.0.0 or above,
Upgrade to FortiProxy 7.0.2 or above,
Upgrade to FortiProxy 2.0.8 or above,
Upgrade to FortiSwitch 7.2.0 or above.
Upgrade to FortiSwitch 7.0.4 or above.
Upgrade to FortiSwitch 6.4.10 or above.
Upgrade to FortiWeb 7.0.0 or above,
Upgrade to FortiWeb 6.4.2 or above,
Upgrade to FortiWeb 6.3.17 or above,
Upgrade to FortiVoiceEnterprise version 6.4.5 or above,
Upgrade to FortiVoiceEnterprise version 6.0.11 or above,
Upgrade to FortiRecorder version 6.4.3 or above,
Upgrade to FortiRecorder version 6.0.11 or above,
Upgrade to FortiMail version 7.0.3 or above,
Upgrade to FortiMail version 6.4.7 or above,
Upgrade to FortiMail version 6.2.8 or above,
Upgrade to FortiPortal version 6.0.11 or above

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.