Use of uninitialized resource in SSLVPN websocket

Summary

Multiple potential issues, including the use of uninitialized ressources [CWE-908] and excessive iteration [CWE-834] in FortiOS & FortiProxy SSLVPN webmode may allow a VPN user to corrupt memory, potentially leading to code or commands execution via specifically crafted requests.

Affected Products

FortiProxy 7.6 all versions are not affected
FortiProxy 7.4 all versions are not affected
FortiProxy version 7.2.0 through 7.2.6
FortiProxy version 7.0.0 through 7.0.12
FortiProxy 2.0 all versions are not affected
FortiOS 7.6 all versions are not affected
FortiOS version 7.4.0
FortiOS version 7.2.0 through 7.2.5
FortiOS version 7.0.1 through 7.0.12
FortiOS version 6.4.7 through 6.4.14

Solutions

Please upgrade to FortiOS version 7.4.1 or above
Please upgrade to FortiOS version 7.2.6 or above
Please upgrade to FortiOS version 7.0.13 or above
Please upgrade to FortiOS version 6.4.15 or above
Please upgrade to FortiOS version 6.4.14 or above
Please upgrade to FortiProxy version 7.4.0 or above
Please upgrade to FortiProxy version 7.2.7 or above
Please upgrade to FortiProxy version 7.0.13 or above

FortiSASE is no longer impacted, issue remediated Q3/23

Workaround:

Disable SSLVPN webmode.

Alternatively, please use SSLVPN tunnel mode, IPsec (tunnel) or ZTNA (web access).

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-SSL-VPN-Web-Mode-or-Tunnel-Mode-in/ta-p/217990

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/45836/ssl-vpn-to-ipsec-vpn

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/78050/migrating-from-ssl-vpn-to-ztna

Virtual Patch named "FortiOS.SSL.VPN.RDP.Mouse.Event.Memory.Corruption." is available in FMWP db update 23.104

Acknowledgement

Internally discovered and reported by Kai Ni from Burnaby Infosec team.

Timeline

2025-04-08: Initial publication