CVE-2023-29180

Name of the Vulnerable Software and Affected Versions FortiOS versions 6.0.0 through 6.0.16 FortiOS versions 6.2.0 through 6.2.14 FortiOS versions 6.4.0 through 6.4.12 FortiOS versions 7.0.0 through 7.0.11 FortiOS versions 7.2.0 through 7.2.4 FortiProxy versions 1.0.0 through 1.0.7 FortiProxy versions 1.1.0 through 1.1.6 FortiProxy versions 1.2.0 through 1.2.13 FortiProxy versions 2.0.0 through 2.0.12 FortiProxy versions 7.0.0 through 7.0.10 FortiProxy versions 7.2.0 through 7.2.3

Description The issue is related to a null pointer dereference in the SSL-VPN daemon of FortiOS, which can be exploited by a remote attacker to cause a denial of service via specially crafted HTTP requests to the /proxy endpoint.

Recommendations For FortiOS versions 6.0.0 through 6.0.16, update to a version outside of this range to resolve the issue. For FortiOS versions 6.2.0 through 6.2.14, update to a version outside of this range to resolve the issue. For FortiOS versions 6.4.0 through 6.4.12, update to a version outside of this range to resolve the issue. For FortiOS versions 7.0.0 through 7.0.11, update to a version outside of this range to resolve the issue. For FortiOS versions 7.2.0 through 7.2.4, update to a version outside of this range to resolve the issue. For FortiProxy versions 1.0.0 through 1.0.7, update to a version outside of this range to resolve the issue. For FortiProxy versions 1.1.0 through 1.1.6, update to a version outside of this range to resolve the issue. For FortiProxy versions 1.2.0 through 1.2.13, update to a version outside of this range to resolve the issue. For FortiProxy versions 2.0.0 through 2.0.12, update to a version outside of this range to resolve the issue. For FortiProxy versions 7.0.0 through 7.0.10, update to a version outside of this range to resolve the issue. For FortiProxy versions 7.2.0 through 7.2.3, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the /proxy endpoint until a patch is available.