Zero-Day Advisory

Fortinet Discovers Box.com Denial of Service Vulnerability

Summary

Fortinet's FortiGuard Labs has discovered a denial of service vulnerability in Box.com.

Box is an enterprise content management platform that solves simple and complex challenges, from sharing and accessing files on mobile devices to sophisticated business processes like data governance and retention. More than 41 million users and 74,000 businesses including 59% of the Fortune 500 trust Box to manage content in the cloud.

The vulnerability exists in Box.com Notes function. Because the "add image" function doesn't correctly process user-supplied data, an error is triggered so that the targeted Note can't be accessed any more.

Solutions

Box.com has patched it. No further action is needed.

Timeline

Fortinet reported the vulnerability to Box.com on March 16, 2018.

Box.com confirmed the vulnerability on March 18, 2018.

Box.com patched the vulnerability on March 18, 2018.

Acknowledgement

This vulnerability was discovered by Zhouyuan Yang of Fortinet's FortiGuard Labs.

IPS Subscription

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.