Summary
An out-of-bounds write vulnerability [CWE-787] and a Stack-based Buffer Overflow [CWE-121] in FortiOS & FortiProxy captive portal may allow an inside attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests.
Workaround:
Set a non form-based authentication scheme:
config authentication scheme
edit scheme
set method method
next
end
Where <method> can be any of those :
ntlm NTLM authentication.
basic Basic HTTP authentication.
digest Digest HTTP authentication.
negotiate Negotiate authentication.
fsso Fortinet Single Sign-On (FSSO) authentication.
rsso RADIUS Single Sign-On (RSSO) authentication.
ssh-publickey Public key based SSH authentication.
cert Client certificate authentication.
saml SAML authentication
Affected Products
FortiOS version 7.4.0 through 7.4.1
FortiOS version 7.2.0 through 7.2.5
FortiOS version 7.0.0 through 7.0.12
FortiOS version 6.4.0 through 6.4.14
FortiOS version 6.2.0 through 6.2.15
FortiProxy version 7.4.0
FortiProxy version 7.2.0 through 7.2.6
FortiProxy version 7.0.0 through 7.0.12
FortiProxy version 2.0.0 through 2.0.13
Solutions
Please upgrade to FortiOS version 7.4.2 or above
Please upgrade to FortiOS version 7.2.6 or above
Please upgrade to FortiOS version 7.0.13 or above
Please upgrade to FortiOS version 6.4.15 or above
Please upgrade to FortiOS version 6.2.16 or above
Please upgrade to FortiProxy version 7.4.1 or above
Please upgrade to FortiProxy version 7.2.7 or above
Please upgrade to FortiProxy version 7.0.13 or above
Please upgrade to FortiProxy version 2.0.14 or above
Fortinet in Q3/23 has remediated this issue in FortiSASE version 23.3.b and hence the customers need not perform any action.
Virtual Patch named «FortiOS.Captive.Portal.Out.Of.Bounds.Write.» is available in FMWP db update 23.105
Acknowledgement
Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security Team.Timeline
2024-02-27: Initial publication
