CVE-2018-13381

Name of the Vulnerable Software and Affected Versions FortiOS versions 5.4 and earlier FortiOS versions 5.6.0 through 5.6.7 FortiOS versions 6.0.0 through 6.0.4 FortiProxy version 1.2.8 and earlier FortiProxy version 2.0.0

Description A buffer overflow vulnerability under the SSL VPN web portal allows a non-authenticated attacker to perform a Denial-of-service attack via special craft message payloads. The issue is related to the failure to properly parse message payloads in the SSL VPN portal of FortiOS. This can be exploited by sending a specially crafted request, potentially leading to a denial of service.

Recommendations For FortiOS versions 5.4 and earlier, update to a version later than 5.4 to resolve the issue. For FortiOS versions 5.6.0 through 5.6.7, update to a version later than 5.6.7 to resolve the issue. For FortiOS versions 6.0.0 through 6.0.4, update to a version later than 6.0.4 to resolve the issue. For FortiProxy version 1.2.8 and earlier, update to a version later than 1.2.8 to resolve the issue. For FortiProxy version 2.0.0, update to a version later than 2.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the SSL VPN web portal to minimize the risk of exploitation.