[FortiProxy] SSL VPN buffer overflow through JavaScript herf parsing when proxying webpages

Summary

A heap buffer overflow vulnerability in the FortiProxy SSL VPN web portal may cause the SSL VPN web service termination for logged in users or potential remote code execution on FortiProxy. This happens when an authenticated user visits a specifically crafted proxied webpage and is due to a failure to handle Javascript HREF content properly.

Affected Products

FortiProxy version 2.0.0
FortiProxy versions 1.2.8 and below.
FortiProxy versions 1.1 all versions
FortiProxy versions 1.0 all versions

Solutions

Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.9 or above.

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.

Timeline

2021-02-03: Initial publication