virus logo PSIRT

Proxy mode with deep inspection - Stack-based buffer overflow

Summary

A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Workaround:

Disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.

Example with custom-deep-inspection profile:

config firewall ssl-ssh-profile
edit "custom-deep-inspection"
set supported-alpn http1-1
next
end

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/710924/http-2-support-in-proxy-mode-ssl-inspection

Version Affected Solution
FortiOS 7.4 Not affected Not Applicable
FortiOS 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
FortiOS 7.0 7.0.0 through 7.0.10 Upgrade to 7.0.11 or above
FortiOS 6.4 Not affected Not Applicable
FortiOS 6.2 Not affected Not Applicable
FortiProxy 7.4 Not affected Not Applicable
FortiProxy 7.2 7.2.0 through 7.2.2 Upgrade to 7.2.3 or above
FortiProxy 7.0 7.0.0 through 7.0.9 Upgrade to 7.0.10 or above
FortiProxy 2.0 Not affected Not Applicable
FortiProxy 1.2 Not affected Not Applicable
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

This issue was resolved in a previous release as a bug without a corresponding PSIRT Advisory. Fortinet would like to thank Watchtowr for sharing this omission.

Timeline

2023-07-11: Initial publication
IR Number FG-IR-23-183
Published Date Jul 11, 2023
Severity Critical
CVSSv3 Score 9.3
Impact Execute unauthorized code or commands
CVE ID
Download

CVRF

CSAF
Language