Headline
CVE-2023-22640: Fortiguard
A out-of-bounds write in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.10, FortiOS version 6.4.0 through 6.4.11, FortiOS version 6.2.0 through 6.2.13, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.1, FortiProxy version 7.0.0 through 7.0.7, FortiProxy all versions 2.0, FortiProxy all versions 1.2, FortiProxy all versions 1.1, FortiProxy all versions 1.0 allows an authenticated attacker to execute unauthorized code or commands via specifically crafted requests.
** PSIRT Advisories**
FortiOS & FortiProxy - Out-of-bound-write in sslvpnd
Summary
An out-of-bounds write vulnerability [CWE-787] in sslvpnd of FortiOS and FortiProxy may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted requests.
Affected Products
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.10
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.13
FortiOS 6.0 all versions
FortiProxy version 7.2.0 through 7.2.1
FortiProxy version 7.0.0 through 7.0.7
FortiProxy all versions 2.0, 1.2, 1.1, 1.0
Solutions
Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.11 or above
Please upgrade to FortiOS version 6.4.12 or above
Please upgrade to FortiOS version 6.2.14 or above
Please upgrade to FortiProxy version 7.2.2 or above
Please upgrade to FortiProxy version 7.0.8 or above
Workaround:
Disable "Host Check", “Restrict to Specific OS Versions” and “MAC address host checking” in sslvpn portal configuration. For example for “full-access” sslvpn portal:
config vpn ssl web portal
edit “full-access”
set os-check disable
set host-check none
set mac-addr-check disable
end
Acknowledgement
Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team in the frame of an internal audit of the SSL-VPN component.
Timeline
2023-04-13: Initial publication