FortiOS SSL VPN buffer overrun through POST message payload

Summary

Failure to properly parse message payloads in the SSL VPN portal of FortiOS may allow a non-authenticated attacker to perform a Denial of Service attack via exploiting a buffer overflow.

Affected Products

FortiOS 6.0.0 to 6.0.4
FortiOS 5.6.0 to 5.6.7
FortiOS 5.4 and below

Solutions

Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0 Workarounds: Disable the SSL-VPN web portal service by applying the following CLI commands: For FortiOS 5.0 and below branches: config vpn ssl settings set sslvpn-enable disable end For FortiOS 5.2 and above branches: config vpn ssl settings unset source-interface end

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.