FortiOS - Format String in CLI command
Summary
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS command line interface may allow a local privileged attacker with super-admin profile and CLI access to execute arbitrary code or commands via specially crafted requests.
Version | Affected | Solution |
---|---|---|
FortiOS 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
FortiOS 7.2 | 7.2.0 through 7.2.7 | Upgrade to 7.2.8 or above |
FortiOS 7.0 | 7.0 all versions | Migrate to a fixed release |
FortiOS 6.4 | 6.4 all versions | Migrate to a fixed release |
Acknowledgement
Fortinet is pleased to thank Michael Messner and Benedikt Kühne from Siemens Energy for bringing this issue to our attention under responsible disclosure.Timeline
2024-04-09: Initial publication