Stack-based buffer overflows via crafted CLI commands

Summary

A buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability [CWE-120] in FortiAnalyzer, FortiManager, FortiOS and FortiProxy may allow a privileged attacker to execute arbitrary code or command via crafted CLI execute restore image and execute certificate remote operations with the TFTP protocol.

Affected Products

FortiManager version 5.6.0 through 5.6.11
FortiManager version 6.0.0 through 6.0.11
FortiManager version 6.2.0 through 6.2.9
FortiManager version 6.4.0 through 6.4.7
FortiManager version 7.0.0 through 7.0.2

FortiAnalyzer version 5.6.0 through 5.6.11
FortiAnalyzer version 6.0.0 through 6.0.11
FortiAnalyzer version 6.2.0 through 6.2.9
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer version 7.0.0 through 7.0.2

FortiOS version 6.0.0 through 6.0.14
FortiOS version 6.2.0 through 6.2.10
FortiOS version 6.4.0 through 6.4.8
FortiOS version 7.0.0 through 7.0.5

FortiProxy version 1.0.0 through 1.0.7
FortiProxy version 1.1.0 through 1.1.6
FortiProxy version 1.2.0 through 1.2.13
FortiProxy version 2.0.0 through 2.0.8
FortiProxy version 7.0.0 through 7.0.3

Solutions

Please upgrade to FortiAnalyzer version 7.0.3 or above
Please upgrade to FortiAnalyzer version 6.4.8 or above
Please upgrade to FortiOS version 7.2.0 or above
Please upgrade to FortiOS version 7.0.6 or above
Please upgrade to FortiOS version 6.4.9 or above
Please upgrade to FortiOS version 6.2.11 or above
Please upgrade to FortiProxy version 7.0.4 or above
Please upgrade to FortiProxy version 2.0.9 or above
Please upgrade to FortiManager version 7.0.3 or above
Please upgrade to FortiManager version 6.4.8 or above

Acknowledgement

Internally discovered and reported by Mattia Fecit and Théo Leleu of Fortinet Product Security Team.