FortiOS/FortiProxy - Proxy mode with deep inspection - Stack-based buffer overflow

Summary

A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

 

Workaround:

Disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.

Example with custom-deep-inspection profile:

config firewall ssl-ssh-profile

   edit "custom-deep-inspection"

      set supported-alpn http1-1

   next

end

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/710924/http-2-support-in-proxy-mode-ssl-inspection  

Affected Products

FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.10
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.9

 

Products NOT affected:
FortiOS 6.4 all versions
FortiOS 6.2 all versions
FortiOS 6.0 all versions
FortiProxy 2.x all versions
FortiProxy 1.x all versions

Solutions

Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.11 or above
Please upgrade to FortiProxy version 7.4.0 or above
Please upgrade to FortiProxy version 7.2.3 or above
Please upgrade to FortiProxy version 7.0.10 or above

Acknowledgement

This issue was resolved in a previous release as a bug without a corresponding PSIRT Advisory. Fortinet would like to thank Watchtowr for sharing this omission.

Timeline

2023-07-11: Initial publication