PSIRTOS command injections in execute CLI commands
Summary
An improper neutralization of special elements [CWE-89] used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiDDoS & FortiDDoS-F may allow an authenticated attacker to execute shell code as root via execute CLI commands.
| Version | Affected | Solution |
|---|---|---|
| FortiDDoS 5.7 | 5.7.0 | Upgrade to 5.7.1 or above |
| FortiDDoS 5.6 | 5.6.0 through 5.6.1 | Upgrade to 5.6.2 or above |
| FortiDDoS 5.5 | 5.5 all versions | Migrate to a fixed release |
| FortiDDoS 5.4 | 5.4 all versions | Migrate to a fixed release |
| FortiDDoS 5.3 | 5.3 all versions | Migrate to a fixed release |
| FortiDDoS 5.2 | 5.2 all versions | Migrate to a fixed release |
| FortiDDoS 5.1 | 5.1 all versions | Migrate to a fixed release |
| FortiDDoS 5.0 | 5.0 all versions | Migrate to a fixed release |
| FortiDDoS 4.7 | 4.7 all versions | Migrate to a fixed release |
| FortiDDoS 4.6 | 4.6 all versions | Migrate to a fixed release |
| FortiDDoS 4.5 | 4.5 all versions | Migrate to a fixed release |
| FortiDDoS-F 6.5 | 6.5.0 | Upgrade to 6.5.1 or above |
| FortiDDoS-F 6.4 | 6.4.0 through 6.4.1 | Upgrade to 6.4.2 or above |
| FortiDDoS-F 6.3 | 6.3 all versions | Migrate to a fixed release |
| FortiDDoS-F 6.2 | 6.2 all versions | Migrate to a fixed release |
| FortiDDoS-F 6.1 | 6.1 all versions | Migrate to a fixed release |
Acknowledgement
Internally discovered and reported by Théo Leleu of Fortinet Product Security team.Timeline
2024-08-13: Initial publication