TCP Middlebox Reflection Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-22-073 Final 1 1 2022-09-06T00:00:00 Current version 2022-09-06T00:00:00 2022-09-06T00:00:00 An improper verification of source of a communication channel vulnerability [CWE-940] in FortiOS may allow a remote and unauthenticated attacker to trigger the sending of "blocked page" HTML data to an arbitrary victim via crafted TCP requests, potentially flooding the victim. This is possible only if at least a firewall policy has inspection mode set to flow-based (default), AND at least a Security Profile is enabled (Web Filter, AntiVirus, IPS, DLP, Application Control, SSL, File filter). None Denial of service FortiOS version 7.2.0FortiOS version 7.0.0 through 7.0.5FortiOS version 6.4.0 through 6.4.8FortiOS version 6.2.0 through 6.2.10FortiOS 6.0 all versions Please upgrade to FortiOS version 6.2.11 or above,Please upgrade to FortiOS version 6.4.9 or above,Please upgrade to FortiOS version 7.0.6 or above,Please upgrade to FortiOS version 7.2.1 or above.ORFortiOS version 6.0.0 to 6.0.10 : Please upgrade IPS engine to version 4.086 or above,FortiOS version 6.2.4 to 6.2.10 : Please upgrade IPS engine to version 5.259 or above,FortiOS version 6.4.0 to 6.4.8 : Please upgrade IPS engine to version 6.122 or above,FortiOS version 7.0.0 to 7.0.5 : Please upgrade IPS engine to version 7.114 or above,FortiOS version 7.2.0 : Please upgrade IPS engine to version 7.215 or above.Workarounds:Disable or adjust security profiles that may trigger the sending of "blocked page" HTTP data, or use proxy-based inspection mode instead of the default flow-based inspection mode.OREmpty the replacement page in Replacement Page >> Extended View of Security Profiles to limit amplification factor created with block page. https://fortiguard.fortinet.com/psirt/FG-IR-22-073 TCP Middlebox Reflection [1] https://www.usenix.org/system/files/sec21fall-bock.pdf [1] https://www.usenix.org/system/files/sec21fall-bock.pdf FortiOS 7.2.0 FortiOS 7.0.5 FortiOS 7.0.4 FortiOS 7.0.3 FortiOS 7.0.2 FortiOS 7.0.1 FortiOS 7.0.0 FortiOS 6.4.8 FortiOS 6.4.7 FortiOS 6.4.6 FortiOS 6.4.5 FortiOS 6.4.4 FortiOS 6.4.3 FortiOS 6.4.2 FortiOS 6.4.1 FortiOS 6.4.0 FortiOS 6.2.10 FortiOS 6.2.9 FortiOS 6.2.8 FortiOS 6.2.7 FortiOS 6.2.6 FortiOS 6.2.5 FortiOS 6.2.4 FortiOS 6.2.3 FortiOS 6.2.2 FortiOS 6.2.1 FortiOS 6.2.0 FortiOS 6.0.18 FortiOS 6.0.17 FortiOS 6.0.16 FortiOS 6.0.15 FortiOS 6.0.14 FortiOS 6.0.13 FortiOS 6.0.12 FortiOS 6.0.11 FortiOS 6.0.10 FortiOS 6.0.9 FortiOS 6.0.8 FortiOS 6.0.7 FortiOS 6.0.6 FortiOS 6.0.5 FortiOS 6.0.4 FortiOS 6.0.3 FortiOS 6.0.2 FortiOS 6.0.1 FortiOS 6.0.0 CVE-2022-27491 FortiOS-7.2.0 FortiOS-7.0.5 FortiOS-7.0.4 FortiOS-7.0.3 FortiOS-7.0.2 FortiOS-7.0.1 FortiOS-7.0.0 FortiOS-6.4.8 FortiOS-6.4.7 FortiOS-6.4.6 FortiOS-6.4.5 FortiOS-6.4.4 FortiOS-6.4.3 FortiOS-6.4.2 FortiOS-6.4.1 FortiOS-6.4.0 FortiOS-6.2.10 FortiOS-6.2.9 FortiOS-6.2.8 FortiOS-6.2.7 FortiOS-6.2.6 FortiOS-6.2.5 FortiOS-6.2.4 FortiOS-6.2.3 FortiOS-6.2.2 FortiOS-6.2.1 FortiOS-6.2.0 FortiOS-6.0.18 FortiOS-6.0.17 FortiOS-6.0.16 FortiOS-6.0.15 FortiOS-6.0.14 FortiOS-6.0.13 FortiOS-6.0.12 FortiOS-6.0.11 FortiOS-6.0.10 FortiOS-6.0.9 FortiOS-6.0.8 FortiOS-6.0.7 FortiOS-6.0.6 FortiOS-6.0.5 FortiOS-6.0.4 FortiOS-6.0.3 FortiOS-6.0.2 FortiOS-6.0.1 FortiOS-6.0.0 6.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:F/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-22-073 TCP Middlebox Reflection Reference> [1] https://www.usenix.org/system/files/sec21fall-bock.pdf [1] https://www.usenix.org/system/files/sec21fall-bock.pdf