FortiNet Alerts

FortiOS & FortiProxy – Out-of-bounds Write in captive portal

Michael Dittmer

FortiNet have released the following about a CRITICAL Severity issue for FortiOS and FortiProxy captive portal.

This issue has a CVSSv3 Score of 9.3.

Summary

An out-of-bounds write vulnerability [CWE-787] and a Stack-based Buffer Overflow [CWE-121] in FortiOS & FortiProxy captive portal may allow an inside attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests.

Workaround:

Set a non form-based authentication scheme:

config authentication scheme
edit scheme
set method method
next
end

Where <method> can be any of those:
ntlm NTLM authentication
basic Basic HTTP authentication
digest Digest HTTP authentication
negotiate Negotiate authentication
fsso Fortinet Single Sign-On (FSSO) authentication
rsso RADIUS Single Sign-On (RSSO) authentication
ssh-publickey Public key based SSH authentication
cert Client certificate authentication
saml SAML authentication

None of the enabled authentication schemes should be form-based.

Please note that only devices with captive portal enabled are affected.

Affected Products

FortiOS version 7.4.0 through 7.4.1
FortiOS version 7.2.0 through 7.2.5
FortiOS version 7.0.0 through 7.0.12
FortiOS version 6.4.0 through 6.4.14
FortiOS version 6.2.0 through 6.2.15
FortiProxy version 7.4.0
FortiProxy version 7.2.0 through 7.2.6
FortiProxy version 7.0.0 through 7.0.12
FortiProxy version 2.0.0 through 2.0.13

Solutions

Please upgrade to FortiOS version 7.4.2 or above
Please upgrade to FortiOS version 7.2.6 or above
Please upgrade to FortiOS version 7.0.13 or above
Please upgrade to FortiOS version 6.4.15 or above
Please upgrade to FortiOS version 6.2.16 or above
Please upgrade to FortiProxy version 7.4.1 or above
Please upgrade to FortiProxy version 7.2.7 or above
Please upgrade to FortiProxy version 7.0.13 or above
Please upgrade to FortiProxy version 2.0.14 or above
Fortinet in Q3/23 has remediated this issue in FortiSASE version 23.3.b and hence the customers need not perform any action.

Virtual Patch named “FortiOS.Captive.Portal.Out.Of.Bounds.Write.” is available in FMWP db update 23.105

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security Team.

Information above provided by FortiNet FortiGuard PSIRT