CVE-2016-6909

Name of the Vulnerable Software and Affected Versions FortiOS versions 4.0.0 through 4.1.10 FortiOS versions 4.2.0 through 4.2.12 FortiOS versions 4.3.0 through 4.3.8 FortiSwitch versions prior to 3.4.3

Description The issue is caused by a buffer overflow in the Cookie parser of FortiOS and FortiSwitch firmware. This can be exploited by a remote attacker using a specially crafted HTTP request, potentially allowing the execution of arbitrary code.

Recommendations For FortiOS versions 4.0.0 through 4.1.10, update to version 4.1.11 or later. For FortiOS versions 4.2.0 through 4.2.12, update to version 4.2.13 or later. For FortiOS versions 4.3.0 through 4.3.8, update to version 4.3.9 or later. For FortiSwitch versions prior to 3.4.3, update to version 3.4.3 or later. As a temporary workaround, consider restricting access to the HTTP endpoint until a patch is available.