PSIRTFormat String Bug in HTTPSd
Summary
A format string vulnerability [CWE-134] in the HTTPSd daemon of FortiOS, FortiProxy and FortiPAM may allow an authenticated user to execute unauthorized code or commands via specially crafted API requests.
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.4 | 7.4.0 | Upgrade to 7.4.1 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.11 | Upgrade to 7.0.12 or above |
| FortiOS 6.4 | 6.4.0 through 6.4.12 | Upgrade to 6.4.13 or above |
| FortiOS 6.2 | 6.2.0 through 6.2.15 | Upgrade to 6.2.16 or above |
| FortiOS 6.0 | 6.0 all versions | Migrate to a fixed release |
| FortiPAM 1.2 | Not affected | Not Applicable |
| FortiPAM 1.1 | 1.1.0 | Upgrade to 1.1.1 or above |
| FortiPAM 1.0 | 1.0 all versions | Migrate to a fixed release |
| FortiProxy 7.4 | Not affected | Not Applicable |
| FortiProxy 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
| FortiProxy 2.0 | Not affected | Not Applicable |
| FortiProxy 1.2 | Not affected | Not Applicable |
Virtual Patch named "FortiOS.FortiSASE.Daemon.Format.String." is available in FMWP db update 23.104
This vulnerability is not directly related to SSLVPNd, disabling it is NOT a valid workaround.
The attacker must have Read/Write privileges on the administrative interface to perform this attack.
Although "trusted host" mitigation might limit potential exploitations, it should not be considered as a valid workaround.
Efficient workarounds are either to upgrade to a fixed release or to apply virtual patch above.
Acknowledgement
Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team in the frame of an internal audit of the SSL-VPN component.Timeline
2023-12-08: Initial publication2024-01-10: Virtual patch renamed "FortiOS.HTTPSd.Daemon.CVE-2023-36639.Memory.Corruption"