IPS Engine evasion using custom TCP flags

Summary

An interpretation conflict vulnerability [CWE-436] in FortiOS IPS Engine may allow an unauthenticated remote attacker to evade NGFW policies or IPS Engine protection via crafted TCP packets.

Affected Products

FortiOS 7.4 all versions are not affected
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.2 through 7.0.11
FortiOS version 6.4.0 through 6.4.12
At least
IPS Engine version 7.321
IPS Engine version 7.166
IPS Engine version 6.158

Solutions

IPS Engine manual download is not needed unless device is offline and cannot download IPS Engine update automatically.

Fixed in IPS Engine version 6.0159 and later.

FortiOS 6.4.13 and later contains IPS engine 6.0160 as the default IPS Engine.

IPS Engine 6.0162 is downloadable from FortiGuard by FortiGate units with a valid subscription running FortiOS 6.4.x.

Fixed in IPS Engine version 7.0166 and later.

FortiOS 7.0.12 and later contains IPS engine 7.0167 as the default IPS Engine.

Fixed in IPS Engine version 7.0313 and later.

FortiOS 7.2.5 and later contains IPS engine 7.0314 as the default IPS Engine.

IPS Engine 7.0322 is downloadable from FortiGuard by FortiGate units with a valid subscription running FortiOS 7.2.x.

FortiOS 7.4.0 and later contains IPS engine 7.0493 as the default IPS Engine.

Acknowledgement

Fortinet is pleased to thank DISO and Cybersecurity Lab of the University of Udine to report this vulnerability.

Timeline

2023-10-10: Initial publication