Security News > 2021 > February > Fortinet fixes critical vulnerabilities in SSL VPN and web firewall
The vulnerabilities range from Remote Code Execution to SQL Injection, to Denial of Service and impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall products.
Multiple advisories published by FortiGuard Labs this month and in January 2021 mention various critical vulnerabilities that Fortinet has been patching in their products.
Some of these vulnerabilities shown below had been previously reported in other Fortinet products but were fixed only recently in FortiProxy SSL VPN versions shown below.
CVE ID Vulnerability type Impacted products Fixed versions Date first published Date Fixed CVE-2018-13383 DoS, RCE FortiProxy SSL VPN 2.0.0 and below, 1.2.8 and below, 1.1.6 and below, 1.0.7 and below.
Vulnerabilities in FortiWeb Web Application Firewall were discovered and responsibly reported by researcher Andrey Medov at Positive Technologies.
Fortinet customers are therefore advised to upgrade to fixed versions of their products as soon as possible to protect against such critical vulnerabilities.
News URL
Related news
- SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN (source)
- Miscreants 'mass exploited' Fortinet firewalls, 'highly probable' zero-day used (source)
- Fortinet Warns of New Zero-Day Used in Attacks on Firewalls with Exposed Interfaces (source)
- Fortinet warns of auth bypass zero-day exploited to hijack firewalls (source)
- SAP fixes critical vulnerabilities in NetWeaver application servers (source)
- Critical vulnerabilities remain unresolved due to prioritization gaps (source)
- Configuration files for 15,000 Fortinet firewalls leaked. Are yours among them? (source)
- Critical SimpleHelp vulnerabilities fixed, update your server instances! (source)
- Week in review: AWS S3 data encrypted without ransomware, data of 15k Fortinet firewalls leaked (source)
- Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-05-29 | CVE-2018-13383 | Out-of-bounds Write vulnerability in Fortinet Fortios and Fortiproxy A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages. | 6.5 |