PSIRT Advisory

SSL VPN buffer overrun when parsing javascript href content

Summary

A heap buffer overflow vulnerability in the FortiOS SSL VPN web portal may cause the SSL VPN web service termination for logged in users; this happens when an authenticated user visits a specifically crafted proxy-ed webpage, and this is due to a failure to handle javascript href content properly.


Exploiting this weakness to perform remote code execution has on the other hand not been proven to be feasible.

Impact

Denial of service

Affected Products

FortiOS all versions lower than 6.0.5

Solutions

Upgrade to FortiOS 6.0.5 or 6.2.0


Workarounds:


Disable the SSL-VPN web portal service by applying the following CLI commands:


config vpn ssl settings
unset source-interface
end


Revision History:


2019-04-02 Initial Version
2019-05-15 Add fix on 6.0 branch

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.