Stack-based buffer overflows via crafted CLI commands

Summary

A buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability [CWE-120] in FortiAnalyzer, FortiManager, FortiOS and FortiProxy may allow a privileged attacker to execute arbitrary code or command via crafted CLI execute restore image and execute certificate remote operations with the TFTP protocol.

Affected Products

FortiManager version 5.6.0 through 5.6.11
FortiManager version 6.0.0 through 6.0.11
FortiManager version 6.2.0 through 6.2.9
FortiManager version 6.4.0 through 6.4.7
FortiManager version 7.0.0 through 7.0.2

FortiAnalyzer version 5.6.0 through 5.6.11
FortiAnalyzer version 6.0.0 through 6.0.11
FortiAnalyzer version 6.2.0 through 6.2.9
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer version 7.0.0 through 7.0.2

FortiOS version 6.0.0 through 6.0.14
FortiOS version 6.2.0 through 6.2.10
FortiOS version 6.4.0 through 6.4.8
FortiOS version 7.0.0 through 7.0.5

FortiProxy version 1.0.0 through 1.0.7
FortiProxy version 1.1.0 through 1.1.6
FortiProxy version 1.2.0 through 1.2.13
FortiProxy version 2.0.0 through 2.0.8
FortiProxy version 7.0.0 through 7.0.3

Solutions

Upgrade to FortiManager version 7.0.3 or above
Upgrade to FortiManager version 6.4.8 or above
Upgrade to FortiAnalyzer version 7.0.3 or above
Upgrade to FortiAnalyzer version 6.4.8 or above
Upgrade to FortiOS version 7.2.0 or above
Upgrade to FortiOS version 7.0.6 or above
Upgrade to FortiProxy version 7.0.4 or above
Upgrade to FortiProxy version 2.0.9 or above

Acknowledgement

Internally discovered and reported by Mattia Fecit and Théo Leleu of Fortinet Product Security Team.

Timeline

2022-07-05: Initial publication