TCP Middlebox Reflection

Summary

An improper verification of source of a communication channel vulnerability [CWE-940] in FortiOS may allow a remote and unauthenticated attacker to trigger the sending of "blocked page" HTML data to an arbitrary victim via crafted TCP requests, potentially flooding the victim. This is possible only if at least a firewall policy has inspection mode set to flow-based (default), AND at least a Security Profile is enabled (Web Filter, AntiVirus, IPS, DLP, Application Control, SSL, File filter).

Affected Products

FortiOS version 7.2.0
FortiOS version 7.0.0 through 7.0.5
FortiOS version 6.4.0 through 6.4.8
FortiOS version 6.2.0 through 6.2.10
FortiOS 6.0 all versions

Solutions

Please upgrade to FortiOS version 6.2.11 or above,
Please upgrade to FortiOS version 6.4.9 or above,
Please upgrade to FortiOS version 7.0.6 or above,
Please upgrade to FortiOS version 7.2.1 or above.
OR
FortiOS version 6.0.0 to 6.0.10 : Please upgrade IPS engine to version 4.086 or above,
FortiOS version 6.2.4 to 6.2.10 : Please upgrade IPS engine to version 5.259 or above,
FortiOS version 6.4.0 to 6.4.8 : Please upgrade IPS engine to version 6.122 or above,
FortiOS version 7.0.0 to 7.0.5 : Please upgrade IPS engine to version 7.114 or above,
FortiOS version 7.2.0 : Please upgrade IPS engine to version 7.215 or above.
##Workarounds:
Disable or adjust security profiles that may trigger the sending of "blocked page" HTTP data, or use proxy-based inspection mode instead of the default flow-based inspection mode.
OR
Empty the replacement page in Replacement Page >> Extended View of Security Profiles to limit amplification factor created with block page.

Timeline

2022-09-06: Initial publication