Fortinet FortiOS, FortiProxy, and FortiPAM Integer Overflow Vulnerability in SSL-VPN Bookmarks Allowing Denial-of-Service

A vulnerability allowing integer overflow or wraparound has been identified in multiple Fortinet products, including FortiOS, FortiProxy, and FortiPAM. This vulnerability affects several different versions and ranges, with specific upgrade recommendations available. The issue arises in SSL-VPN RDP and VNC bookmarks, where an authenticated user can send crafted requests that disrupt the device's SSL-VPN availability.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing disruptions in SSL-VPN availability on the affected device.

Remediation

Users can upgrade Fortinet FortiOS to versions 7.6.3, 7.4.8, or 7.2.11, depending on their current version. Fortinet FortiProxy users should upgrade to version 7.6.3 or 7.4.4, while FortiPAM users can upgrade to version 1.5.1 or 1.4.3, based on their current version. For versions 7.0, 6.4, FortiProxy 2.0, FortiPAM 1.3, 1.2, 1.1, and 1.0, users should migrate to a fixed release.