FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 239420



This article describes how a critical heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote, unauthenticated attacker to execute arbitrary code or commands with specifically crafted requests. See the FortiGuard page on the vulnerability for more details:








Fortinet recommends taking immediate action to mitigate this vulnerability (by disabling SSL VPN) before upgrading to the latest release, as documented in the advisory.


If a FortiGate is managed by a FortiManager, ensure that the FortiManager is upgraded to a compatible version before upgrading the FortiGate. For more information, see the FortiManager Compatibility Chart.


To search for the Crash Log indicators of compromise documented in the advisory, search the Event Logs either on the FortiGate or the FortiAnalyzer for multiple System level log events containing the following information:


Logdesc="Application crashed" and msg="[...] application: sslvpnd,[...], Signal 11 received, Backtrace: [...]“


Alternatively, execute the following command on the FortiGate CLI:


# diagnose debug crashlog read


Search for multiple examples of the following:


xxxx: [ Date & Time ] <.....> firmware  [ Firmware version ]
xxxx: [ Date & Time ] <.....> application sslvpnd
xxxx: [ Date & Time ] <.....> *** signal 11 (Segmentation fault) received ***


Additionally, search for the presence of the IoC artifacts in the filesystem with the fnsysctl command: 


# fnsysctl ls -l /data/lib 


# fnsysctl ls -la /var 

# fnsysctl ls -l /data/etc 

# fnsysctl ls -l / 


If these IoCs are detected, contact customer support for assistance. 


This was very useful. Thank you for your efforts.