PSIRT Advisories

1. curl and libcurl CVE-2023-38545 and CVE-2023-38546 vulnerabilities

   CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool) A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to "let the host resolve the name" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior. https://curl.se/docs/CVE-2023-38545.html CVE-2023-38546: severity LOW (affects libcurl only, not the tool) A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met. https://curl.se/docs/CVE-2023-38546.html

2. FortiADC - Privilege escalation vulnerability using the automation cli-script feature

   An improper access control vulnerability [CWE-284] in FortiADC automation feature may allow an authenticated low-privileged attacker to escalate their privileges to super_admin via a specific crafted configuration of fabric automation CLI script.

3. FortiADC & FortiDDoS-F - Buffer overflows in CLI commands

   Multiple buffer copy without checking size of input ('classic buffer overflow') vulnerabilities [CWE-120] in FortiADC & FortiDDoS-F may allow a privileged attacker to execute arbitrary code or commands via specifically crafted CLI requests.

4. FortiADC & FortiDDoS-F - CORS: arbitrary origin trusted

   A permissive cross-domain policy with untrusted domains (CWE-942) vulnerability in the API of FortiADC / FortiDDoS-F may allow an unauthorized attacker to carry out privileged actions and retrieve sensitive information via crafted web requests.

5. FortiClient (Windows) - Arbitrary file deletion from unprivileged users

   An incorrect authorization [CWE-863] vulnerability in FortiClient (Windows) may allow a local low privileged attacker to perform arbitrary file deletion in the device filesystem.

6. FortiClient (Windows) - DLL Hijacking via openssl.cnf

   An untrusted search path vulnerability [CWE-426] in FortiClient Windows OpenSSL component may allow an attacker to perform a DLL Hijack attack via a malicious OpenSSL engine library in the search path.

7. FortiClient for Windows - Hardcoded credentials in vcm2.exe

   A use of hard-coded credentials vulnerability [CWE-798] in FortiClient for Windows may allow an attacker to bypass system protections via the use of static credentials.

8. FortiEDRCollector (Windows) - Protection may be disabled by local attacker

   An improper access control vulnerabilty [CWE-284] in FortiEDRCollectorWindows may allow a local attacker to prevent the collector service to start in the next system reboot by tampering with some registry keys of the service. 

9. FortiMail - Login mechanism without rate limitation

   An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail may allow an unauthenticated attacker to perform a brute force attack on the affected endpoints via repeated login attempts.

10. FortiMail - User can see and modify address book folders title of other users

    An improper authorization vulnerability [CWE-285] in FortiMail webmail may allow an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests.

11. FortiManager & FortiAnalyzer - Use of hardcoded credentials in fmgsvrd

    A use of hard-coded credentials [CWE-798] in FortiManager and FortiAnalyzer may allow an attacker to access Fortinet dummy testing data via the use of static credentials. Those credentials have been revoked.

12. FortiOS & FortiProxy - DOS in headers management

    A null pointer dereference [CWE-476] in FortiOS and FortiProxy SSL VPN may allow an authenticated attacker to perform a DoS attack on the device via specifically crafted HTTP requests.

13. FortiOS & FortiProxy VM - Bypass of root file system integrity checks at boot time on VM

    An improper validation of integrity check value vulnerability [CWE-354] in FortiOS and FortiProxy VMs may allow a local attacker with admin privileges to boot a malicious image on the device and bypass the filesytem integrity check in place.

14. FortiSIEM - Encrypted password stored in logs

    An insertion of sensitive information into log file vulnerability [CWE-532] in FortiSIEM may allow an authenticated user to view an encrypted ElasticSearch password via debug log files generated when FortiSIEM is configured with ElasticSearch Event Storage.  

15. FortiSIEM - OS command injection in Report Server

    An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests. This vulnerability was internally discovered as a variant of FG-IR-23-130.

16. FortiSIEM - Windows agent password is visible in the logs

    An exposure of sensitive information to an unauthorized actor [CWE-200] in FortiSIEM may allow an attacker with access to windows agent logs to obtain the windows agent password via searching through the logs.

17. FortiWAN - Guessable static JSON web token secret

    *PRODUCT OUT OF SUPPORT* An improper authentication vulnerability [CWE-287] in FortWAN may allow an authenticated attacker to escalate his privileges via HTTP or HTTPs requests with crafted JWT token values.

18. FortiWAN - Path traversal vulnerability

    *PRODUCT OUT OF SUPPORT* A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability [CWE-22] in FortiWAN may allow an authenticated attacker to read and delete arbitrary file of the system via crafted HTTP or HTTPs requests.

19. FortiWLM - Unauthenticated arbitrary file read vulnerability

    A relative path traversal vulnerability [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read arbitrary files via crafted HTTP requests.

20. FortiWLM - Unauthenticated SQL Injection Vulnerability

    An improper neutralization of special elements used in an sql command [CWE-89] in FortiWLM may allow a remote unauthenticated attacker to execute unauthorized sql queries via a crafted http request.

21. TunnelCrack VPN vulnerabilities

    Fortinet is aware of a research article named TunnelCrack, published at Usenix [1], which describe the LocalNet and ServerIP attacks. These attacks aim to leak VPN client traffic outside of the protected VPN tunnel when clients connect via untrusted networks, such as rogue Wi-Fi access points.  The LocalNet attack allows an attacker to force the usage of local network access features of the VPN to access unencrypted traffic. The ServerIP attack allows an attacker to intercept traffic sent to a spoofed VPN gateway via DNS spoofing attacks. These attacks do not enable the attacker to decrypt the encrypted traffic but rather will try to redirect the traffic through attacker controlled channels before the traffic is encrypted by the VPN.

22. FortiSandbox - Reflected Cross Site Scripting (XSS) on the "file ondemand" rendering endpoint

    An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

23. FortiSandbox - Arbitrary file delete

    An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox may allow a low privileged attacker to delete arbitrary files via crafted http requests.

24. FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint

    An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

25. FortiSandbox - XSS on delete endpoint

    Multiple improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.