The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.
-
An incorrect parsing of numbers with different radices vulnerability [CWE-1389] in FortiOS and FortiProxy IP address validation feature may permit an unauthenticated attacker to bypass the IP blocklist via crafted requests.
-
A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS and FortiProxy may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.
-
CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to "let the host resolve the name" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior.https://curl.se/docs/CVE-2023-38545.html## CVE-2023-38546: severity LOW (affects libcurl only, not the tool)A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met.https://curl.se/docs/CVE-2023-38546.html
-
The Fortinet Product Security team has evaluated the impact of the vulnerablity HTTP/2 Rapid Reset Attack, listed below:CVE-2023-44487:The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly.https://nvd.nist.gov/vuln/detail/CVE-2023-44487
-
An improper validation of integrity check value vulnerability [CWE-354] in FortiOS VMs may allow a local attacker with admin privileges to boot a malicious image on the device and bypass the filesytem integrity check in place.
-
An insufficient session expiration vulnerability [CWE-613] in FortiOS, FortiProxy, FortiPAM & FortiSwitchManager GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.
-
An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS / FortiProxy log events may allow a remote authenticated attacker to read certain passwords in ciphertext.
-
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.A third-party report is indicating this may be exploited in the wild.
-
CVE-2024-6387A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This could lead to remote code execution with root privileges.
-
A use of externally-controlled format string vulnerability [CWE-134] in FortiAnalyzer fazsvcd daemon may allow a remote privileged attacker with admin profile to execute arbitrary code or commands via specially crafted requests.
-
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other ADOMs via crafted HTTP requests.
-
A stack-based overflow vulnerability [CWE-124] in FortiOS, FortiProxy, FortiPAM and FortiSwitchManager may allow a remote attacker to execute arbitrary code or command via crafted packets reaching the fgfmd daemon, under certain conditions which are outside the control of the attacker.
-
An improperly implemented security check for standard vulnerability [CWE-358] in FortiADC Web Application Firewall (WAF) when cookie security policy is enabled may allow an attacker, under specific conditions, to retrieve the initial encrypted and signed cookie protected by the feature
-
An improper certificate validation vulnerability [CWE-295] in FortiClientWindows, FortiClientLinux and FortiClientMac may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiGate and the FortiClient during the ZTNA tunnel creation
-
An improper certificate validation vulnerability [CWE-295] in FortiClientWindows, FortiClientMac, FortiClientLinux, FortiClientAndroid and FortiClientiOS SAML SSO feature may allow an unauthenticated attacker to man-in-the-middle the communication between the FortiClient and both the service provider and the identity provider.
-
An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer & FortiManager may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.
-
An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiClientEMS may allow an unauthenticated attacker to execute limited and temporary operations on the underlying database via crafted requests.
-
An improper authorization vulnerability [CWE-285] in FortiSOAR change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests.
-
Multiples improper limitations of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-23] in FortiClientEMS management interface may allow a remote and authenticated attacker to retrieve or delete arbitrary files from the underlying filesystem via specially crafted web requests.
-
An exposure of sensitive Information to an unauthorized actor vulnerability [CWE-200] in FortiSandbox may allow an authenticated attacker with at least read-only permission to read sensitive files via HTTP get requests.