PSIRT Advisory

Remote Exploit Vulnerability in Bash - (Shellshock)

Impact

Remote Code Execution

Affected Products

FortiAnalyzer (versions 5.0.X and 5.2.0) - authentication required to exploit
FortiAuthenticator - authentication required to exploit
FortiDB
FortiManager (versions 4.3, 5.0.X and 5.2.0) - authentication required to exploit
AscenLink v7.X

Solutions

FortiAnalyzer
FortiAnalyzer v5.0.8 is now available.
FortiAnalyzer v5.2.1 is now available.
FortiAuthenticator
A patch for FortiAuthenticator v3.1.2 is now available.
FortiDB
A patch for FortiDB v5.1.5 is now available.
FortiManager
FortiManager v5.0.8 is now available.
FortiManager v5.2.1 is now available.
AscenLink
This vulnerability will be fixed in an upcoming patch of AscenLink.
Workarounds
FortiGate customers may apply the IPS signature entitled "Bash.Function.Definitions.Remote.Code.Execution" to protect systems accessible through a FortiGate. This IPS signature is available in the 5.552 IPS update, which will be deployed via FDS on the afternoon of September 25th.
FortiGuard Labs has created an AV signature for this vulnerability and it was deployed using the Hot Update functionality. It is advised that all FortiGate customers ensure they are using AV DB 22.863 or later to help protect systems.
FortiGuard Web Security Service for FortiWeb web application firewall was updated overnight to address the Shellshock vulnerability. Updated package 0.00116 includes signature 090420001 to prevent attackers from executing arbitrary commands over HTTP via specially Bash crafted environments (CVE-2014-6271, CVE-2014-7169). FortiWeb inspects signature 090420001 in URLs, arguments, headers and cookies. The signature is part of the Known Exploits directory and is enabled by default.
Please be sure to back up your affected systems prior to update and read the respective release notes when performing any software upgrade. Firmware release dates for impacted products are pending and this advisory will be updated when available.