PSIRTFormat String Bug in HTTPSd
Summary
A format string vulnerability [CWE-134] in the HTTPSd daemon of FortiOS, FortiProxy and FortiPAM may allow an authenticated user to execute unauthorized code or commands via specially crafted API requests.
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.4 | 7.4.0 | Upgrade to 7.4.1 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.11 | Upgrade to 7.0.12 or above |
| FortiOS 6.4 | 6.4.0 through 6.4.12 | Upgrade to 6.4.13 or above |
| FortiOS 6.2 | 6.2.0 through 6.2.15 | Upgrade to 6.2.16 or above |
| FortiOS 6.0 | 6.0 all versions | Migrate to a fixed release |
| FortiPAM 1.2 | Not affected | Not Applicable |
| FortiPAM 1.1 | 1.1.0 | Upgrade to 1.1.1 or above |
| FortiPAM 1.0 | 1.0 all versions | Migrate to a fixed release |
| FortiProxy 7.4 | Not affected | Not Applicable |
| FortiProxy 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
Virtual Patch named "FortiOS.FortiSASE.Daemon.Format.String." is available in FMWP db update 23.104
This vulnerability is not directly related to SSLVPNd, disabling it is NOT a valid workaround.
The attacker must have Read/Write privileges on the administrative interface to perform this attack.
Although "trusted host" mitigation might limit potential exploitations, it should not be considered as a valid workaround.
Efficient workarounds are either to upgrade to a fixed release or to apply virtual patch above.
edited on: 2023-12-15 11:07
Acknowledgement
Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team in the frame of an internal audit of the SSL-VPN component.Timeline
2023-12-08: Initial publication
2024-01-10: Virtual patch renamed "FortiOS.HTTPSd.Daemon.CVE-2023-36639.Memory.Corruption"