Security News > 2021 > February > Fortinet fixes critical vulnerabilities in SSL VPN and web firewall

Fortinet fixes critical vulnerabilities in SSL VPN and web firewall
2021-02-07 14:31

The vulnerabilities range from Remote Code Execution to SQL Injection, to Denial of Service and impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall products.

Multiple advisories published by FortiGuard Labs this month and in January 2021 mention various critical vulnerabilities that Fortinet has been patching in their products.

Some of these vulnerabilities shown below had been previously reported in other Fortinet products but were fixed only recently in FortiProxy SSL VPN versions shown below.

CVE ID Vulnerability type Impacted products Fixed versions Date first published Date Fixed CVE-2018-13383 DoS, RCE FortiProxy SSL VPN 2.0.0 and below, 1.2.8 and below, 1.1.6 and below, 1.0.7 and below.

Vulnerabilities in FortiWeb Web Application Firewall were discovered and responsibly reported by researcher Andrey Medov at Positive Technologies.

Fortinet customers are therefore advised to upgrade to fixed versions of their products as soon as possible to protect against such critical vulnerabilities.


News URL

https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-vulnerabilities-in-ssl-vpn-and-web-firewall/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2019-05-29 CVE-2018-13383 Out-of-bounds Write vulnerability in Fortinet Fortios and Fortiproxy
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.
network
low complexity
fortinet CWE-787
6.5
6.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Fortinet 81 23 351 310 95 779