Summary
Under non-default configuration, a stack-based buffer overflow in FortiGate may allow a remote attacker authenticated to the SSL VPN to crash the FortiClient NAC daemon (fcnacd) and potentially execute arbitrary code via requesting a large FortiClient file name. We are not aware of proof of concept code successfully achieving the latter.
Affected Products
FortiOS versions 5.6.12 and below.
FortiOS versions 6.0.10 and below.
Solutions
Please upgrade to FortiOS versions 5.6.13 or above.
Please upgrade to FortiOS versions 6.0.11 or above.
FortiOS versions 6.2.0 and above are not impacted.
FortiOS versions 6.4.0 and above are not impacted.
Workaround:
Please ensure that Fortiheartbeat and Endpoint-Compliance are not both enabled on the same interface.
FortiHeartbeat and Endpoint-Compliance can be disabled on a particular interface by following the below CLI commands:
config system interface
edit interface
set endpoint-compliance disable (<-- Disabled by default)
set fortiheartbeat disable
next
end
Acknowledgement
Fortinet is pleased to thank Communications Security Establishment Canada (CSEC) for reporting this vulnerability under responsible disclosure.