Headline
CVE-2021-42756: Fortiguard
Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.
** PSIRT Advisories**
FortiWeb - Stack-based buffer overflows in Proxyd
Summary
Multiple stack-based buffer overflow vulnerabilities [CWE-121] in FortiWeb’s proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.
Affected Products
FortiWeb versions 5.x all versions,
FortiWeb versions 6.0.7 and below,
FortiWeb versions 6.1.2 and below,
FortiWeb versions 6.2.6 and below,
FortiWeb versions 6.3.16 and below,
FortiWeb versions 6.4 all versions.
Solutions
Upgrade to FortiWeb 7.0.0 or above,
Upgrade to FortiWeb 6.3.17 or above,
Upgrade to FortiWeb 6.2.7 or above.
Upgrade to FortiWeb 6.1.3 or above.
Upgrade to FortiWeb 6.0.8 or above.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.
Related news
Fortinet has released fixes to address 15 security flaws, including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. The issue, tracked as CVE-2023-25610, is rated 9.3 out of 10 for severity and was internally discovered and reported by its security teams. "A buffer underwrite ('buffer underflow') vulnerability in
Fortinet has released security updates to address 40 vulnerabilities in its software lineup, including FortiWeb, FortiOS, FortiNAS, and FortiProxy, among others. Two of the 40 flaws are rated Critical, 15 are rated High, 22 are rated Medium, and one is rated Low in severity. Top of the list is a severe bug residing in the FortiNAC network access control solution (CVE-2022-39952, CVSS score: 9.8)