Cookie Parser Buffer Overflow Vulnerability Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-16-023 Final 1 1 2016-08-17T00:00:00 Current version 2016-08-17T00:00:00 2016-08-17T00:00:00 FortiGate firmware (FortiOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.  Affected firmware versions are lower versions of 4.x firmware release.  FortiOS 5.x firmware is NOT affected.Affected FortiSwitch firmware versions are 3.4.2 and below. Remote administrative access FortiGate (FortiOS): 4.3.8 and below 4.2.12 and below 4.1.10 and belowFortiSwitch:3.4.2 and below Upgrade to release 5.x.Upgrade to release 4.3.9 or above for models not compatible with FortiOS 5.x.Note that the following AV and IPS signatures block the potential attacks:ELF/Adows.A!exploit since AV DB 36.803IPS signature: FortiGate.Cookie.Buffer.Overflow since IPS DB 8.935FortiSwitch:Upgrade to release 3.4.3Workarounds:FortiOS:Disable admin access via HTTP and HTTPS on all interfaces, and use SSH insteadOn 4.3, if HTTP or HTTPS access is mandatory, one can restrict access to HTTP and HTTPS to a minimal set of authorized IP addresses, via the Local In policiesOn 4.2 and 4.1, if HTTP or HTTPS access is mandatory, one can restrict access to the administration interfaces (including HTTP and HTTPS access) to a minimal set of authorized IP addresses, via the trusthost commandsFortiSwitch:Disable admin access via HTTP and HTTPS on all interfaces, and use the CLI instead. Alternatively, restrict access to the administration interfaces (including HTTP and HTTPS access) to a minimal set of authorized IP addresses, via the trusthost commands The vulnerability was initially reported to Fortinet in August 2012 by Florian Gaultier of SCRT. Back then, it was mentioned in FortiOS 4.3.9 release notes. CVE-2016-6909 https://fortiguard.fortinet.com/psirt/FG-IR-16-023 Cookie Parser Buffer Overflow Vulnerability Reference>