Integer overflow in dhcpd daemon

Summary

An integer overflow / wraparound vulnerability [CWE-190] in the FortiOS, FortiProxy, FortiSwitch, FortiRecoder, and FortiVoiceEnterprise
dhcpd daemon may allow an unauthenticated and network adjacent attacker to crash the dhcpd deamon, resulting in potential denial of service.

Affected Products

FortiOS version 7.0.3 and below.
FortiOS version 6.4.8 and below.
FortiOS version 6.2.10 and below.
FortiOS version 6.0.x.
FortiProxy version 7.0.0.
Fortiproxy version 2.0.6 and below.
FortiProxy version 1.2.x.
FortiProxy version 1.1.x.
FortiProxy version 1.0.x.
FortiSwitch version 7.0.2 and below.
FortiSwitch version 6.4.9 and below.
FortiSwitch version 6.2.x.
FortiSwitch version 6.0.x.
FortiRecorder version 6.4.2 and below.
FortiRecorder version 6.0.10 and below.
FortiVoiceEnterprise version 6.4.3 and below.
FortiVoiceEnterprise version 6.0.10 and below.

Solutions

Please upgrade to FortiOS version 7.0.4 or above.
Please upgrade to FortiOS version 6.4.9 or above.
Please upgrade to FortiOS version 6.2.11 or above.
Please upgrade to FortiProxy version 7.0.1 or above.
Please upgrade to FortiProxy version 2.0.7 or above.
Please upgrade to FortiSwitch version 7.2.0 or above.
Please upgrade to FortiSwitch version 7.0.3 or above.
Please upgrade to FortiSwitch version 6.4.10 or above.
Please upgrade to FortiRecorder version 6.4.3 or above.
Please upgrade to FortiRecorder version 6.0.11 or above.
Please upgrade to FortiVoiceEnterprise version 6.4.4 or above
Please upgrade to FortiVoiceEnterprise version 6.0.11 or above

Acknowledgement

Fortinet is pleased to thank Nanyu Zhong and Yu Zhang from VARAS@IIE for reporting this vulnerability under responsible disclosure.

Timeline

2022-07-05: Initial publication