FortiOS & FortiProxy - Out-of-bounds Write in captive portal

Summary

An out-of-bounds write vulnerability [CWE-787] and a Stack-based Buffer Overflow [CWE-121] in FortiOS & FortiProxy captive portal may allow an inside attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests.


Workaround:


Set a non form-based authentication scheme:


config authentication scheme
edit scheme
set method method
next
end


Where <method> can be any of those :


ntlm NTLM authentication.


basic Basic HTTP authentication.


digest Digest HTTP authentication.


negotiate Negotiate authentication.


fsso Fortinet Single Sign-On (FSSO) authentication.


rsso RADIUS Single Sign-On (RSSO) authentication.


ssh-publickey Public key based SSH authentication.


cert Client certificate authentication.


saml SAML authentication


None of the enabled authentication schemes should be form-based.


Please note that only devices with captive portal enabled are affected.

Affected Products

FortiOS version 7.4.0 through 7.4.1
FortiOS version 7.2.0 through 7.2.5
FortiOS version 7.0.0 through 7.0.12
FortiOS version 6.4.0 through 6.4.14
FortiOS version 6.2.0 through 6.2.15
FortiProxy version 7.4.0
FortiProxy version 7.2.0 through 7.2.6
FortiProxy version 7.0.0 through 7.0.12
FortiProxy version 2.0.0 through 2.0.13

Solutions

Please upgrade to FortiOS version 7.4.2 or above
Please upgrade to FortiOS version 7.2.6 or above
Please upgrade to FortiOS version 7.0.13 or above
Please upgrade to FortiOS version 6.4.15 or above
Please upgrade to FortiOS version 6.2.16 or above
Please upgrade to FortiProxy version 7.4.1 or above
Please upgrade to FortiProxy version 7.2.7 or above
Please upgrade to FortiProxy version 7.0.13 or above
Please upgrade to FortiProxy version 2.0.14 or above
Fortinet in Q3/23 has remediated this issue in FortiSASE version 23.3.b and hence the customers need not perform any action.

Virtual Patch named "FortiOS.Captive.Portal.Out.Of.Bounds.Write." is available in FMWP db update 23.105

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security Team.

Timeline

2024-02-27: Initial publication