{"id":149,"date":"2024-03-28T14:16:57","date_gmt":"2024-03-28T01:16:57","guid":{"rendered":"https:\/\/securesphere.co.nz\/?p=149"},"modified":"2024-03-28T14:20:41","modified_gmt":"2024-03-28T01:20:41","slug":"fortios-fortiproxy-out-of-bounds-write-in-captive-portal","status":"publish","type":"post","link":"https:\/\/securesphere.co.nz\/index.php\/2024\/03\/28\/fortios-fortiproxy-out-of-bounds-write-in-captive-portal\/","title":{"rendered":"FortiOS &amp; FortiProxy &#8211; Out-of-bounds Write in captive portal"},"content":{"rendered":"\n<p>FortiNet have released the following about a CRITICAL Severity issue for FortiOS and FortiProxy captive portal.<\/p>\n\n\n\n<p>This issue has a CVSSv3 Score of 9.3.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span style=\"text-decoration: underline;\">Summary<\/span><\/h3>\n\n\n\n<p>An out-of-bounds write vulnerability [CWE-787] and a Stack-based Buffer Overflow [CWE-121] in FortiOS &amp; FortiProxy captive portal may allow an inside attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Workaround:<\/h3>\n\n\n\n<p>Set a non form-based authentication scheme:<\/p>\n\n\n\n<p><code>config authentication scheme<br>edit scheme<br>set method method<br>next<br>end<\/code><\/p>\n\n\n\n<p>Where &lt;method> can be any of those:<br>ntlm NTLM authentication<br>basic Basic HTTP authentication<br>digest Digest HTTP authentication<br>negotiate Negotiate authentication<br>fsso Fortinet Single Sign-On (FSSO) authentication<br>rsso RADIUS Single Sign-On (RSSO) authentication<br>ssh-publickey Public key based SSH authentication<br>cert Client certificate authentication<br>saml SAML authentication<\/p>\n\n\n\n<p>None of the enabled authentication schemes should be form-based.<\/p>\n\n\n\n<p>Please note that only devices with captive portal enabled are affected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Affected Products<\/h3>\n\n\n\n<p>FortiOS version 7.4.0 through 7.4.1<br>FortiOS version 7.2.0 through 7.2.5<br>FortiOS version 7.0.0 through 7.0.12<br>FortiOS version 6.4.0 through 6.4.14<br>FortiOS version 6.2.0 through 6.2.15<br>FortiProxy version 7.4.0<br>FortiProxy version 7.2.0 through 7.2.6<br>FortiProxy version 7.0.0 through 7.0.12<br>FortiProxy version 2.0.0 through 2.0.13<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Solutions<\/h3>\n\n\n\n<p>Please upgrade to FortiOS version 7.4.2 or above<br>Please upgrade to FortiOS version 7.2.6 or above<br>Please upgrade to FortiOS version 7.0.13 or above<br>Please upgrade to FortiOS version 6.4.15 or above<br>Please upgrade to FortiOS version 6.2.16 or above<br>Please upgrade to FortiProxy version 7.4.1 or above<br>Please upgrade to FortiProxy version 7.2.7 or above<br>Please upgrade to FortiProxy version 7.0.13 or above<br>Please upgrade to FortiProxy version 2.0.14 or above<br>Fortinet in Q3\/23 has remediated this issue in FortiSASE version 23.3.b and hence the customers need not perform any action.<\/p>\n\n\n\n<p>Virtual Patch named &#8220;FortiOS.Captive.Portal.Out.Of.Bounds.Write.&#8221; is available in FMWP db update 23.105<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Acknowledgement<\/h3>\n\n\n\n<p>Internally discovered and reported by Gwendal Gu\u00e9gniaud of Fortinet Product Security Team.<\/p>\n\n\n\n<p>Information above provided by FortiNet FortiGuard PSIRT<\/p>\n","protected":false},"excerpt":{"rendered":"<p>FortiNet have released the following about a CRITICAL Severity issue for FortiOS and FortiProxy captive portal. This issue has a CVSSv3 Score of 9.3. Summary<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[20],"tags":[21],"class_list":["post-149","post","type-post","status-publish","format-standard","hentry","category-fortinet-alerts","tag-fortinet-firewall"],"_links":{"self":[{"href":"https:\/\/securesphere.co.nz\/index.php\/wp-json\/wp\/v2\/posts\/149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securesphere.co.nz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securesphere.co.nz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securesphere.co.nz\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/securesphere.co.nz\/index.php\/wp-json\/wp\/v2\/comments?post=149"}],"version-history":[{"count":1,"href":"https:\/\/securesphere.co.nz\/index.php\/wp-json\/wp\/v2\/posts\/149\/revisions"}],"predecessor-version":[{"id":150,"href":"https:\/\/securesphere.co.nz\/index.php\/wp-json\/wp\/v2\/posts\/149\/revisions\/150"}],"wp:attachment":[{"href":"https:\/\/securesphere.co.nz\/index.php\/wp-json\/wp\/v2\/media?parent=149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securesphere.co.nz\/index.php\/wp-json\/wp\/v2\/categories?post=149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securesphere.co.nz\/index.php\/wp-json\/wp\/v2\/tags?post=149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}