FortiOS & FortiProxy - Out-of-bound-write in sslvpnd

Summary

An out-of-bounds write vulnerability [CWE-787] in sslvpnd of FortiOS and FortiProxy may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted requests.

Affected Products

FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.10
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.13
FortiOS version 6.0.0 through 6.0.16
FortiProxy version 7.2.0 through 7.2.1
FortiProxy version 7.0.0 through 7.0.7
FortiProxy 2.0 all versions
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions

Solutions

Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.11 or above
Please upgrade to FortiOS version 6.4.12 or above
Please upgrade to FortiOS version 6.2.14 or above
Please upgrade to upcoming FortiOS version 6.0.17 or above
Please upgrade to FortiProxy version 7.2.2 or above
Please upgrade to FortiProxy version 7.0.8 or above

Workaround:

Disable "Host Check", "Restrict to Specific OS Versions" and "MAC address host checking" in sslvpn portal configuration. For example for "full-access" sslvpn portal:

config vpn ssl web portal edit "full-access" set os-check disable set host-check none set mac-addr-check disable end

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team in the frame of an internal audit of the SSL-VPN component.

Timeline

2023-04-13: Initial publication

2023-05-15: add a new fixed version 6.0.17 for FortiOS