CVE-2015-0235 "GHOST" vulnerability

Impact Detail

On Linux-based systems running the standard GNU C Library (aka glibc) function, the library's function gethostbyname() is vulnerable to a heap overflow condition.An attacker may be able to exploit this condition, by feeding an application (that calls this function) with specially crafted parameters, and thereby execute arbitrary code on the targeted system.This may be done locally, for privilege escalation purpose, or remotely, provided the targeted application processes data sent by the attacker (eg: a mail server).gethostbyname() is used to resolve a name (eg: www.fortinet.com) into an IP address (eg: 66.171.121.44), by numerous programs and applications.

Affected Products

FortiOS, FortiCache, FortiWeb, FortiADC E series, FortiExtender - All versions embed a vulnerable version of glibc, however the vulnerable functions are not called by Fortinet code (nor are they called by third-party code). Therefore, these products are not vulnerable.All versions of the following products embed a vulnerable version of glibc, however no real-life exploitation scenario has been found to be possible so far:FortiManager versions FortiAnalyzer FortiMail versions FortiVoiceEnterprise versions FortiRecorder versions AscenLink versions FortiSandbox all versions FortiAuthenticator versions FortiSwitch versions FortiWAN versions FortiDDoS versions FortiDB all versionsFortiADC D series versions

Solutions

Regardless the exploitability (or lack thereof), all products embedding a vulnerable version of glibc will be updated.
In the meantime, to reduce further the theoretical attack surface, Fortinet PSIRT recommends the following:
  • Make sure IPS signature Glibc.Gethostbyname.Buffer.Overflow is enabled. It is available in IPS update 5.604
  • Make sure the administration interfaces of your Fortinet products are not accessible from outside of your network