FortiOS - IP address validation mishandles zero characters

Summary

An incorrect parsing of numbers with different radices vulnerability [CWE-1389] in FortiOS and FortiProxy IP address validation feature may permit an unauthenticated attacker to bypass the IP blocklist via crafted requests.

Version Affected Solution
FortiOS 7.6 Not affected Not Applicable
FortiOS 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above
FortiOS 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above
FortiOS 7.0 7.0 all versions Migrate to a fixed release
FortiProxy 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above
FortiProxy 7.2 7.2 all versions Migrate to a fixed release
FortiProxy 7.0 7.0 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Fortinet is pleased to thank Tim Yu from Bell Canada for reporting this vulnerability under responsible disclosure.

Timeline

2024-07-09: Initial publication
2024-09-06: Fixed versions updated