Heap buffer underflow in administrative interface

Summary

A buffer underwrite ("buffer underflow") vulnerability in FortiOS, FortiManager, FortiAnalyzer, FortiWeb, FortiProxy & FortiSwitchManager administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests.
## Exploitation status:
Fortinet is not aware of any instance where this vulnerability was exploited in the wild. We continuously review and test the security of our products, and this vulnerability was internally discovered within that frame.

Affected Products

FortiSwitchManager version 7.2.0 through 7.2.1
FortiSwitchManager version 7.0.0 through 7.0.1
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12
FortiOS version 6.0.0 through 6.0.16
FortiOS 5.x all versions
FortiWeb version 7.2.0 through 7.2.1
FortiWeb version 7.0.0 through 7.0.6
FortiWeb version 6.4.0 through 6.4.2
FortiWeb version 6.3.0 through 6.3.22
FortiWeb version 6.2.0 through 6.2.7
FortiWeb version 6.1.0 through 6.1.3
FortiAnalyzer version 7.2.0
FortiAnalyzer version 7.0.0 through 7.0.4
FortiAnalyzer version 6.4.0 through 6.4.11
FortiAnalyzer version 6.2.0 through 6.2.10
FortiAnalyzer version 6.0.0 through 6.0.11
FortiManager version 7.2.0
FortiManager version 7.0.0 through 7.0.4
FortiManager version 6.4.0 through 6.4.11
FortiManager version 6.2.0 through 6.2.10
FortiManager version 6.0.0 through 6.0.11
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.8
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiOS-6K7K version 7.0.5
FortiOS-6K7K version 6.4.10
FortiOS-6K7K version 6.4.8
FortiOS-6K7K version 6.4.6
FortiOS-6K7K version 6.4.2
FortiOS-6K7K version 6.2.9 through 6.2.12
FortiOS-6K7K version 6.2.6 through 6.2.7
FortiOS-6K7K version 6.2.4
FortiOS-6K7K 6.0 all versions
Even when running a vulnerable FortiOS version, the hardware devices listed below are only impacted by the DoS part of the issue, not by the arbitrary code execution (non-listed devices are vulnerable to both):
FortiGateRugged-100C
FortiGate-100D
FortiGate-200C
FortiGate-200D
FortiGate-300C
FortiGate-3600A
FortiGate-5001FA2
FortiGate-5002FB2
FortiGate-60D
FortiGate-620B
FortiGate-621B
FortiGate-60D-POE
FortiWiFi-60D
FortiWiFi-60D-POE
FortiGate-300C-Gen2
FortiGate-300C-DC-Gen2
FortiGate-300C-LENC-Gen2
FortiWiFi-60D-3G4G-VZW
FortiGate-60DH
FortiWiFi-60DH
FortiGateRugged-60D
FortiGate-VM01-Hyper-V
FortiGate-VM01-KVM
FortiWiFi-60D-I
FortiGate-60D-Gen2
FortiWiFi-60D-J
FortiGate-60D-3G4G-VZW
FortiWifi-60D-Gen2
FortiWifi-60D-Gen2-J
FortiWiFi-60D-T
FortiGateRugged-90D
FortiWifi-60D-Gen2-U
FortiGate-50E
FortiWiFi-50E
FortiGate-51E
FortiWiFi-51E
FortiWiFi-50E-2R
FortiGate-52E
FortiGate-40F
FortiWiFi-40F
FortiGate-40F-3G4G
FortiWiFi-40F-3G4G
FortiGate-40F-3G4G-NA
FortiGate-40F-3G4G-EA
FortiGate-40F-3G4G-JP
FortiWiFi-40F-3G4G-NA
FortiWiFi-40F-3G4G-EA
FortiWiFi-40F-3G4G-JP

Solutions

Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.10 or above
Please upgrade to FortiOS version 6.4.12 or above
Please upgrade to FortiOS version 6.2.13 or above
Please upgrade to FortiWeb version 7.2.2 or above
Please upgrade to FortiWeb version 7.0.7 or above
Please upgrade to FortiWeb version 6.4.3 or above
Please upgrade to FortiWeb version 6.3.23 or above
Please upgrade to FortiWeb version 6.2.8 or above
Please upgrade to FortiWeb version 6.1.4 or above
Please upgrade to upcoming FortiOS version 6.0.17 or above
Please upgrade to FortiSwitchManager version 7.2.2 or above
Please upgrade to FortiSwitchManager version 7.0.2 or above
Please upgrade to FortiProxy version 7.2.3 or above
Please upgrade to FortiProxy version 7.0.9 or above
Please upgrade to FortiManager version 7.2.1 or above
Please upgrade to FortiManager version 7.0.5 or above
Please upgrade to FortiManager version 6.4.12 or above
Please upgrade to FortiManager version 6.2.11 or above
Please upgrade to FortiManager version 6.0.12 or above
Please upgrade to FortiOS-6K7K version 7.0.10 or above
Please upgrade to FortiOS-6K7K version 6.4.12 or above
Please upgrade to FortiOS-6K7K version 6.2.13 or above
Please upgrade to FortiAnalyzer version 7.2.1 or above
Please upgrade to FortiAnalyzer version 7.0.5 or above
Please upgrade to FortiAnalyzer version 6.4.12 or above
Please upgrade to FortiAnalyzer version 6.2.11 or above
Please upgrade to FortiAnalyzer version 6.0.12 or above
## Workaround for FortiOS:
Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface:
<br/>config firewall address<br/>edit my_allowed_addresses<br/>set subnet Y IP MY SUBNET<br/>end<br/>
Then create an Address Group:
<br/>config firewall addrgrp<br/>edit MGMT_IPs<br/>set member my_allowed_addresses<br/>end<br/>
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
<br/>config firewall local-in-policy<br/>edit 1<br/>set intf port1<br/>set srcaddr MGMT_IPs<br/>set dstaddr all<br/>set action accept<br/>set service HTTPS HTTP<br/>set schedule always<br/>set status enable<br/>next<br/><br/>edit 2<br/>set intf any<br/>set srcaddr all<br/>set dstaddr all<br/>set action deny<br/>set service HTTPS HTTP<br/>set schedule always<br/>set status enable<br/>end<br/>
If using non default ports, create appropriate service object for GUI administrative access:
<br/>config firewall service custom<br/>edit GUI_HTTPS<br/>set tcp-portrange admin-sport<br/>next<br/>edit GUI_HTTP<br/>set tcp-portrange admin-port<br/>end<br/>
Use these objects instead of "HTTPS HTTP" in the local-in policy 1 and 2 below.
When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005
Please contact customer support for assistance.
## Workaround for FortiManager and FortiAnalyzer:
Limit IP addresses that can reach the administrative interface
## Workaround for FortiWeb:
Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface

Acknowledgement

Internally discovered and reported by Kai Ni from Burnaby InfoSec team.

Timeline

2023-03-07: Initial publication
2023-04-03: Add FortiSwitchManager
2023-06-13: Add FortiAnalyzer, FortiManager, FortiWeb