Jump to content
  • SeedTheNet
  • FortiOS / FortiProxy - Heap buffer underflow in administrative interface


    SeedTheNet

    FortiOS / FortiProxy - Heap buffer underflow in administrative interface

    Summary

    A buffer underwrite ('buffer underflow') vulnerability in FortiOS & FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests.

     

    Exploitation status:

    Fortinet is not aware of any instance where this vulnerability was exploited in the wild. We continuously review and test the security of our products, and this vulnerability was internally discovered within that frame.

    Affected Products

    FortiOS version 7.2.0 through 7.2.3
    FortiOS version 7.0.0 through 7.0.9
    FortiOS version 6.4.0 through 6.4.11
    FortiOS version 6.2.0 through 6.2.12
    FortiOS 6.0 all versions
    FortiProxy version 7.2.0 through 7.2.2
    FortiProxy version 7.0.0 through 7.0.8
    FortiProxy version 2.0.0 through 2.0.12
    FortiProxy 1.2 all versions
    FortiProxy 1.1 all versions
    FortiOS-6K7K version 7.0.5
    FortiOS-6K7K version 6.4.10
    FortiOS-6K7K version 6.4.8
    FortiOS-6K7K version 6.4.6
    FortiOS-6K7K version 6.4.2
    FortiOS-6K7K version 6.2.9 through 6.2.12
    FortiOS-6K7K version 6.2.6 through 6.2.7
    FortiOS-6K7K version 6.2.4
    FortiOS-6K7K 6.0 all versions

     

    Even when running a vulnerable FortiOS version, the hardware devices listed below are *only* impacted by the DoS part of the issue, *not* by the arbitrary code execution (non-listed devices are vulnerable to both): 

     

    FortiGateRugged-100C
    FortiGate-100D
    FortiGate-200C
    FortiGate-200D
    FortiGate-300C
    FortiGate-3600A
    FortiGate-5001FA2
    FortiGate-5002FB2
    FortiGate-60D
    FortiGate-620B
    FortiGate-621B
    FortiGate-60D-POE
    FortiWiFi-60D
    FortiWiFi-60D-POE
    FortiGate-300C-Gen2
    FortiGate-300C-DC-Gen2
    FortiGate-300C-LENC-Gen2
    FortiWiFi-60D-3G4G-VZW
    FortiGate-60DH
    FortiWiFi-60DH
    FortiGateRugged-60D
    FortiGate-VM01-Hyper-V
    FortiGate-VM01-KVM
    FortiWiFi-60D-I
    FortiGate-60D-Gen2
    FortiWiFi-60D-J
    FortiGate-60D-3G4G-VZW
    FortiWifi-60D-Gen2
    FortiWifi-60D-Gen2-J
    FortiWiFi-60D-T
    FortiGateRugged-90D
    FortiWifi-60D-Gen2-U
    FortiGate-50E
    FortiWiFi-50E
    FortiGate-51E
    FortiWiFi-51E
    FortiWiFi-50E-2R
    FortiGate-52E
    FortiGate-40F
    FortiWiFi-40F
    FortiGate-40F-3G4G
    FortiWiFi-40F-3G4G
    FortiGate-40F-3G4G-NA
    FortiGate-40F-3G4G-EA
    FortiGate-40F-3G4G-JP
    FortiWiFi-40F-3G4G-NA
    FortiWiFi-40F-3G4G-EA
    FortiWiFi-40F-3G4G-JP

    Solutions

    Please upgrade to FortiOS version 7.4.0 or above
    Please upgrade to FortiOS version 7.2.4 or above
    Please upgrade to FortiOS version 7.0.10 or above
    Please upgrade to FortiOS version 6.4.12 or above
    Please upgrade to FortiOS version 6.2.13 or above
    Please upgrade to FortiProxy version 7.2.3 or above
    Please upgrade to FortiProxy version 7.0.9 or above
    Please upgrade to FortiOS-6K7K version 7.0.10 or above
    Please upgrade to FortiOS-6K7K version 6.4.12 or above
    Please upgrade to FortiOS-6K7K version 6.2.13 or above

     

    Workaround for FortiOS:

     

    Disable HTTP/HTTPS administrative interface

    OR

    Limit IP addresses that can reach the administrative interface:

     

    config firewall address

    edit "my_allowed_addresses"

    set subnet <MY IP> <MY SUBNET>

    end

     

    Then create an Address Group:

     

    config firewall addrgrp

    edit "MGMT_IPs"

    set member "my_allowed_addresses"

    end

     

    Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

     

    config firewall local-in-policy

    edit 1

    set intf port1

    set srcaddr "MGMT_IPs"

    set dstaddr "all"

    set action accept

    set service HTTPS HTTP

    set schedule "always"

    set status enable

    next

    edit 2

    set intf "any"

    set srcaddr "all"

    set dstaddr "all"

    set action deny

    set service HTTPS HTTP

    set schedule "always"

    set status enable

    end

     

    If using non default ports, create appropriate service object for GUI administrative access:

     

    config firewall service custom

    edit GUI_HTTPS

    set tcp-portrange <admin-sport>

    next

    edit GUI_HTTP

    set tcp-portrange <admin-port>

    end

     

    Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

     

    When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005

     

    Please contact customer support for assistance.

    Acknowledgement

    Internally discovered and reported by Kai Ni from Burnaby InfoSec team.

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Member Statistics

    40
    Total Members
    60
    Most Online
    fluoxetine cost
    Newest Member
    fluoxetine cost
    Joined
×
×
  • Create New...

Important Information

Privacy Policy