[FortiOS] SSL VPN buffer overflow through JavaScript herf parsing when proxying webpages Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-388 Final 1 1 2019-11-26T00:00:00 Current version 2019-11-26T00:00:00 2019-11-26T00:00:00 A heap buffer overflow vulnerability in the FortiOS SSL VPN web portal may cause the SSL VPN web service termination for logged in users or potential remote code execution on FortiOS; this happens when an authenticated user visits a specifically crafted proxy-ed webpage, and this is due to a failure to handle javascript href content properly. This only affects SSL VPN web-mode (SSL VPN tunnel-mode is not impacted) Denial of service FortiOS 6.0.0 to 6.0.4FortiOS 5.6.0 to 5.6.10FortiOS 5.4.0 to 5.4.12FortiOS 5.2.0 to 5.2.14Branch lower than 5.2 not been assessed. Upgrade to FortiOS 5.2.15, 5.4.13, 5.6.11, 6.0.5 or 6.2.0 and above. Workarounds: One of the following workarounds can be applied: * Use SSL VPN tunnel-mode only. * Only access trusted HTTP web servers under SSL VPN web-mode * Totally disable the SSL-VPN service by applying the following CLI commands: config vpn ssl settings unset source-interface end Revision History: 2019-04-02 Initial Version 2019-05-15 Add fix on 6.0 branch 2019-07-11 Risk adjusted to High; Workaround updated. 2019-08-21 Add fix on 5.6 branch 2019-11-26 Add fix on 5.4 and 5.2 branch Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure. CVE-2018-13383 4.2 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-18-388 [FortiOS] SSL VPN buffer overflow through JavaScript herf parsing when proxying webpages Reference>