PSIRT Advisory

SSL VPN buffer overrun when parsing javascript href content

Summary

A heap buffer overflow vulnerability in the FortiOS SSL VPN web portal may cause the SSL VPN web service termination for logged in users or potential remote code execution on FortiOS; this happens when an authenticated user visits a specifically crafted proxy-ed webpage, and this is due to a failure to handle javascript href content properly.


This only affects SSL VPN web-mode (SSL VPN tunnel-mode is not impacted)

Impact

Denial of service, Remote Code Execution

Affected Products

FortiOS all versions lower than 6.0.5

Solutions

Upgrade to FortiOS 6.0.5 or 6.2.0


Workarounds:


One of the following workarounds can be applied:


* Use SSL VPN tunnel-mode only.


* Only access trusted HTTP web servers under SSL VPN web-mode


* Totally disable the SSL-VPN service by applying the following CLI commands:

config vpn ssl settings
unset source-interface
end


Revision History:


2019-04-02 Initial Version
2019-05-15 Add fix on 6.0 branch
2019-07-11 Risk adjusted to High; Workaround updated.

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.