PSIRTStack buffer overflow in fabric service
Summary
A stack-based buffer overflow [CWE-121] vulnerability in FortiOS CAPWAP control may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted UDP packets, provided the attacker were able to evade FortiOS stack protections and provided the fabric service is running on the exposed interface.
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.6 | Not affected | Not Applicable |
| FortiOS 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiOS 7.2 | 7.2.4 through 7.2.8 | Upgrade to 7.2.9 or above |
| FortiOS 7.0 | Not affected | Not Applicable |
| FortiOS 6.4 | Not affected | Not Applicable |
Fortinet in Q2/24 has remediated this issue in FortiSASE version 24.2.b.2 and hence the customers need not perform any action.
Workaround
For each interface, remove the fabric service, for example change :
config system interface
edit "portX"
set allowaccess ping https ssh fabric
next
end
to :
config system interface
edit "portX"
set allowaccess ping https ssh
next
end
OR
For each interface with the "fabric" service, block CAPWAP-CONTROL access to port 5246 through a local-in policy.
config firewall service custom
edit "CAPWAP-CONTROL"
set udp-portrange 5246
next
end
config firewall addrgrp
edit "CAPWAP_DEVICES_IPs"
set member "my_allowed_addresses"
end
config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "CAPWAP_DEVICES_IPs"
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action allow
next
edit 2
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action deny
next
end
OR
For each interface with the "fabric" service, apply the virtual patch FG-VD-10006068.0day available in FMWP (Firmware Virtual Patch) db update 24.054 to port 5246 through a local-in policy.
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/393161
1- Verify the rule is available inside the virtual patch database
get rule fmwp status
rule-name: "FG-VD-10006068.0day"
rule-id: 10006068
rev: 24.054
date: 1716998400
action: block
status: enable
log: disable
log-packet: disable
severity: 4.critical
service: UDP
location: server
os: All
application: All
rate-count: 0
rate-duration: 0
rate-track: none
rate-mode: continuous
vuln_type: Buffer Errors
fos_comp: Other
2- Configure the local-in policy for each interface on which the “fabric” service is enabled.
config firewall service custom
edit "CAPWAP-CONTROL"
set udp-portrange 5246
next
end
config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action accept
set virtual-patch enable
next
end
Virtual Patch named "FG-VD-10006068.0day" is available in FMWP db update 24.054
Acknowledgement
Internally reported and discovered by Stephen J. Bevan of FortiOS development team.Timeline
2025-02-11: Initial publication2025-02-11: Typo