• 0 800 357272
  • Ця електронна адреса захищена від спам-ботів. Вам необхідно увімкнути JavaScript, щоб побачити її.
  • Пн-Пт 09:00-18:00

PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.
  1. A stack-based buffer overflow [CWE-121] vulnerability in FortiOS administrative interface may allow a privileged attacker to execute arbitrary code or commands via crafted HTTP or HTTPs requests.
  2. A Use Of Less Trusted Source [CWE-348] vulnerability in FortiPortal may allow an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets.
  3. Client-side enforcement of server-side security vulnerability [CWE-602] in FortiPortal may allow an authenticated attacker with a customer account to access other customers information via crafted HTTP requests.
  4. An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR may allow an authenticated attacker to execute arbitrary code on the host via a playbook code snippet.
  5. A double free vulnerability [CWE-415] in FortiOS may allow a privileged attacker to execute unauthorized code or commands via crafted HTTP or HTTPs requests.
  6. An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiADC may allow a read-only admin to view data pertaining to other admins.
  7. Multiple format string bug vulnerabilitues [CWE-134] in FortiOS, FortiProxy, FortiPAM & FortiSwitchManager command line interpreter and httpd may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted commands and http requests.
  8. A URL redirection to untrusted site ('Open Redirect') (CWE-601) vulnerability in FortiAuthenticator may allow an attacker to redirect users to an arbitrary website via a crafted URL.
  9. HTTP CONTINUATION Flood can be used to launch a serious DoS attack that can cause the crash of the target server with just one attacking machine (or even one TCP connection to the target).It works by:- initiating an HTTP stream against the target- then sending headers and CONTINUATION frames with no END_HEADERS flag set - that creates a never ending stream that could even cause an instant crashThis works because there's many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream.CVE-2024-27316 for Apache HTTP Server (httpd):HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.CVE-2024-24549 for Apache Tomcat:When processing an HTTP/2 request, if the request exceeded any of theconfigured limits for headers, the associated HTTP/2 stream was notreset until after all of the headers had been processed.CVE-2024-30255 for Envoy proxy (nghttp2):Envoy's HTTP/2 codec allows the peer to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.CVE-2023-45288 for Golang:An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.CVE-2024-28182 for nghttp2:nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream.CVE-2024-27983 for Node.js:An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.CVE-2024-3302 for Firefox:There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser.
  10. An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiVoiceEntreprise may allow an authenticated attacker to read the SIP configuration of other users via crafted HTTP or HTTPS requests.
  11. An improper removal of sensitive information before storage or transfer vulnerability [CWE-212] in FortiSOAR may allow an authenticated low privileged user to read Connector passwords in plain-text via HTTP responses.
  12. Several improper input validation [CWE-20] and improper authorization vulnerabilities [CWE-285] affecting FortiWebManager may allow an authenticated attacker with at least read-only permission to execute unauthorized actions via HTTP requests or CLI. 
  13. An improper check or handling of exceptional conditions vulnerability [CWE-703] in FortiOS version 7.4.1 may allow an unauthenticated attacker to perform a temporary denial of service attack on the administrative interface via crafted HTTP requests.
  14. An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiWeb may allow an authenticated attacker to read password hashes of other administrators via CLI commands or HTTP requests.
  15. A client-side enforcement of server-side security vulnerability [CWE-602] in FortiSandbox may allow an authenticated attacker with at least read-only permission to download or upload configuration.
  16. An insufficient verification of data authenticity vulnerability [CWE-345] in FortiOS & FortiProxy SSL-VPN tunnel mode may allow an authenticated VPN user to send (but not receive) packets spoofing the IP of another user via crafted network packets.
  17. An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiNAC may allow a remote authenticated attacker to perform stored and reflected cross site scripting (XSS) attack via crafted HTTP requests.
  18. Multiple improper authorization vulnerabilities [CWE-285] in FortiWeb may allow an authenticated attacker to perform unauthorized ADOM operations via crafted requests.
  19. An insufficiently protected credentials vulnerability (CWE-522) in FortiOS and FortiProxy may allow an attacker to obtain the administrator cookie in rare and specific conditions, via tricking the administrator into visiting a malicious attacker-controlled website through the SSL-VPN.
  20. An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox may allow an authenticated attacker with at least read-only permission to delete arbitrary files via crafted HTTP requests.