Heap-based Buffer Overflow in firmware signature verification

Summary

A heap-based buffer overflow [CWE-122] in the firmware signature verification function of FortiOS may allow an attacker to execute arbitrary code via specially crafted installation images.

Affected Products

FortiGate E-series and F-series models released in 2019 and later (specifically: 40F, 60F, 200F, 400E, 600E, 1100E, 1800F, 2200E, 2600F, 3300E, 3400E, 3500F, 3600E and 7121F)
that are running the following versions of FortiOS:
FortiOS version 7.0.1 and below.
FortiOS version 6.4.6 and below.
FortiOS version 6.2.9 and below.
FortiOS version 6.0.13 and below.
FortiOS-6K7K version 6.4.5 and below.
FortiOS-6K7K version 6.2.8 and below.
FortiOS-6K7K version 6.0.10 and below.

Solutions

Upgrade to FortiOS version 7.0.2 and above.
Upgrade to FortiOS version 6.4.7 and above.
Upgrade to FortiOS version 6.2.10 and above.
Upgrade to FortiOS version 6.0.14 and above.
Upgrade to FortiOS-6K7K version 6.4.6 and above.
Upgrade to FortiOS-6K7K version 6.2.9 and above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.

Timeline

2021-12-07: Initial publication