FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ericwang_FTNT

Description
Some public scanning tools report FortiOS is vulnerable to ISC BIND DNS vulnerabilities.
the vulnerabilities in such reports can be (but not limited to):

CVE-2007-0493: dereferencing freed fetch context

CVE-2008-0122: Buffer overflow in inet_network()
CVE-2009-0696: BIND Dynamic Update DoS

Scope
FortiOS DNS query service.

Solution
This is a False Alarms: FortiOS DNS query service in proxy mode will simply
forward DNS queries to the target DNS server; thus the real vulnerabilities are at the target DNS servers.
FortiOS is not using ISC BIND 3rd party
software.

To verify/validate, change FortiOS DNS server settings to non-recursive
mode:

#config system dns-server
    edit [interface]
        set mode non-recursive
    next
end

and re-apply the scanning, these ISC BIND related vulnerabilties should not
show up anymore.


 
 

 

Contributors