Stack-based buffer overflow in SSL VPN daemon

Summary

Under non-default configuration, a stack-based buffer overflow in FortiGate may allow a remote attacker authenticated to the SSL VPN to crash the FortiClient NAC daemon (fcnacd) and potentially execute arbitrary code via requesting a large FortiClient file name. We are not aware of proof of concept code successfully achieving the latter.

Affected Products

FortiOS versions 5.6.12 and below.
FortiOS versions 6.0.10 and below.

Solutions

Please upgrade to FortiOS versions 5.6.13 or above. Please upgrade to FortiOS versions 6.0.11 or above. FortiOS versions 6.2.0 and above are not impacted. FortiOS versions 6.4.0 and above are not impacted. Workaround: Please ensure that Fortiheartbeat and Endpoint-Compliance are not both enabled on the same interface. FortiHeartbeat and Endpoint-Compliance can be disabled on a particular interface by following the below CLI commands: config system interface edit interface set endpoint-compliance disable (<-- Disabled by default) set fortiheartbeat disable next end

Acknowledgement

Fortinet is pleased to thank Communications Security Establishment Canada (CSEC) for reporting this vulnerability under responsible disclosure.