CVE-2023-42790

Name of the Vulnerable Software and Affected Versions Fortinet FortiOS versions 6.2.0 through 6.2.15 Fortinet FortiOS versions 6.4.0 through 6.4.14 Fortinet FortiOS versions 7.0.0 through 7.0.12 Fortinet FortiOS versions 7.2.0 through 7.2.5 Fortinet FortiOS versions 7.4.0 through 7.4.1 FortiProxy versions 2.0.0 through 2.0.13 FortiProxy versions 7.0.0 through 7.0.12 FortiProxy versions 7.2.0 through 7.2.6 FortiProxy version 7.4.0

Description A stack-based buffer overflow in Fortinet FortiOS and FortiProxy allows an attacker to execute unauthorized code or commands via specially crafted HTTP requests. This issue is related to the Captive Portal feature. An out-of-bounds write vulnerability and a stack-based buffer overflow in the captive portal may allow an inside attacker who has access to the captive portal to execute arbitrary code or commands.

Recommendations For Fortinet FortiOS versions 6.2.0 through 6.2.15, consider setting a non-form-based authentication scheme. For Fortinet FortiOS versions 6.4.0 through 6.4.14, consider setting a non-form-based authentication scheme. For Fortinet FortiOS versions 7.0.0 through 7.0.12, consider setting a non-form-based authentication scheme. For Fortinet FortiOS versions 7.2.0 through 7.2.5, consider setting a non-form-based authentication scheme. For Fortinet FortiOS versions 7.4.0 through 7.4.1, consider setting a non-form-based authentication scheme. For FortiProxy versions 2.0.0 through 2.0.13, consider setting a non-form-based authentication scheme. For FortiProxy versions 7.0.0 through 7.0.12, consider setting a non-form-based authentication scheme. For FortiProxy versions 7.2.0 through 7.2.6, consider setting a non-form-based authentication scheme. For FortiProxy version 7.4.0, consider setting a non-form-based authentication scheme. As a temporary workaround, consider disabling the Captive Portal feature until a patch is available. To set a non-form-based authentication scheme, use the following command: config authentication scheme edit scheme set method , where can be any of the following: ntlm for NTLM authentication, basic for Basic HTTP authentication, digest for Digest HTTP authentication, negotiate for Negotiate authentication, fsso for Fortinet Single Sign-On (FSSO) authentication, rsso for RADIUS Single Sign-On (RSSO) authentication, ssh-publickey for Public key based SSH authentication, or cert for Client certificate authentication, or saml for SAML authentication.