FortiAnalyzer/FortiManager/FortiOS/FortiProxy - stack-based buffer overflow via crafted CLI execute command

Summary

A buffer copy without checking size of input ('Classic Buffer Overflow')  vulnerability [CWE-120] in FortiAnalyzer, FortiManager, FortiOS and FortiProxy may allow a privileged attacker to execute arbitrary code or command via crafted CLI `execute certificate remote`, `execute vpn certificate remote` and `execute restore image` operations with the TFTP protocol.

Affected Products

FortiManager version 5.6.0 through 5.6.11
FortiManager version 6.0.0 through 6.0.11
FortiManager version 6.2.0 through 6.2.9
FortiManager version 6.4.0 through 6.4.7
FortiManager version 7.0.0 through 7.0.2

FortiAnalyzer version 5.6.0 through 5.6.11
FortiAnalyzer version 6.0.0 through 6.0.11
FortiAnalyzer version 6.2.0 through 6.2.9
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer version 7.0.0 through 7.0.2

 

FortiOS version 6.0.0 through 6.0.14
FortiOS version 6.2.0 through 6.2.10
FortiOS version 6.4.0 through 6.4.8
FortiOS version 7.0.0 through 7.0.5

 

FortiProxy version 1.0.0 through 1.0.7
FortiProxy version 1.1.0 through 1.1.6
FortiProxy version 1.2.0 through 1.2.13
FortiProxy version 2.0.0 through 2.0.8
FortiProxy version 7.0.0 through 7.0.3

Solutions

Please upgrade to FortiManager version 7.0.3 or above
Please upgrade to FortiManager version 6.4.8 or above
Please upgrade to FortiAnalyzer version 7.0.3 or above
Please upgrade to FortiAnalyzer version 6.4.8 or above
Please upgrade to FortiOS version 7.2.0 or above
Please upgrade to FortiOS version 7.0.6 or above
Please upgrade to FortiOS version 6.4.9 or above
Please upgrade to FortiOS version 6.2.11 or above
Please upgrade to FortiProxy version 7.0.4 or above
Please upgrade to FortiProxy version 2.0.9 or above

Acknowledgement

Internally discovered and reported by Mattia Fecit of Fortinet Product Security Team.