FortiNet FortiGate and FortiWiFi appliances contain multiple vulnerabilities
Vulnerability Note VU#730964
Original Release Date: 2014-09-19 | Last Revised: 2014-09-19
Fortinet FortiGate and FortiWiFi appliances are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122).
Fortinet FortiGate and FortiWiFi 4.00.6 and possibly earlier versions are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122). The vulnerabilities exist in the FortiManager service running on TCP port 541.
CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') - CVE-2014-0351 The FortiManager remote service relies on client-side SSL certificates to encrypt traffic between the client and server. It is possible for a client to specify the SSL cipher suite to use for the connection, including a cipher suite that does not use certificates for authentication, such as ADH-AES256-SHA. This could allow an adjacent unprivileged attacker to man-in-the-middle communications between the client and FortiManager service.
CWE-122: Heap-based Buffer Overflow - CVE-2014-2216 The FortiManager remote service uses a protocol with a message format that will allocate space for eight argument pointers on the heap. However, when parsing the message format an arbitrary number of argument pointers are accepted. This can cause a heap-based buffer overflow. A remote, unprivileged attacker may be able to exploit this vulnerability to run arbitrary code on the appliance.
The CVSS score reflects CVE-2014-2216.
A remote unauthenticated attacker may be able to man-in-the-middle traffic between the client and FortiManager service or execute arbitrary code on the appliance.
Fortinet recommends upgrading to FortiOS 4.3.16, 5.0.8, or 5.2.0 to receive the patch. Additionally, please consider the following workaround.
Disable the remote management service
The FortiManager remote service that runs on port 541 can be disabled.