Format String Bug in Fclicense daemon

Summary

A use of externally-controlled format string vulnerability [CWE-134] in the Fclicense daemon of FortiOS may allow a remote authenticated attacker to execute arbitrary code or commands via specially crafted requests.

Affected Products

FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.11
FortiOS version 6.4.0 through 6.4.12
FortiOS version 6.2.0 through 6.2.14
FortiOS 6.0 all versions
FortiProxy 7.2.0 through 7.2.4
FortiProxy 7.0.0 through 7.0.10
FortiProxy 2.0.0 through 2.0.12
FortiProxy 1.2.0 through 1.2.13
FortiProxy 1.1.0 through 1.1.6
FortiProxy 1.0.0 through 1.0.7
FortiPAM 1.0.0 through 1.0.3

Solutions

Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.5 or above
Please upgrade to FortiOS version 7.0.12 or above
Please upgrade to FortiOS version 6.4.13 or above
Please upgrade to FortiOS version 6.2.15 or above
Please upgrade to FortiProxy version 7.2.5 or above
Please upgrade to FortiProxy version 7.0.11 or above
Please upgrade to FortiProxy version 2.0.13 or above
Please upgrade to FortiPAM version 1.1.0 or above

Virtual Patch named "FortiOS.Fclicense.Daemon.Format.String." is available in FMWP db update 23.104

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team in the frame of an internal audit of the SSL-VPN component.

Timeline

2023-06-12: Initial publication
Added IPS package info: 2023-11-15