-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1889
                        FortiProxy security update
                                2 June 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FortiProxy
Publisher:         FortiGuard Labs
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Overwrite Arbitrary Files       -- Remote/Unauthenticated
                   Denial of Service               -- Existing Account      
                   Access Confidential Data        -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-22130 CVE-2018-13382 CVE-2018-13379

Reference:         ESB-2019.1891.3

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-21-006
   https://fortiguard.com/psirt/FG-IR-20-231
   https://fortiguard.com/psirt/FG-IR-20-233

Comment: This bulletin contains three (3) FortiGuard Labs security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

FortiProxy - Stack-based Buffer overflow vulnerability through the diagnose sys cpuset CLI command

IR Number    : FG-IR-21-006
Date         : Jun 01, 2021
Risk         : 3/5
CVSSv3 Score : 6.1
Impact       : denial of service, Remote Code Execution
CVE ID       : CVE-2021-22130

Summary

A stack-based buffer overflow vulnerability in FortiProxy physical appliance
CLI may allow an authenticated, remote attacker to perform a Denial of Service
attack by running the `diagnose sys cpuset` with a large cpuset mask value.
Fortinet is not aware of any successful exploitation of this vulnerability that
would lead to code execution.

Impact

denial of service, Remote Code Execution

Affected Products

FortiProxy versions 1.2.9 and below. FortiProxy versions 2.0.1 and below.
FortiProxy versions 1.1.x FortiProxy versions 1.0.x

Solutions

Please upgrade to Fortiproxy version 1.2.10 or above.

Please upgrade to Fortiproxy version 2.0.2 or above.


- --------------------------------------------------------------------------------


FortiProxy - Unauthenticated SSL VPN users password modification

IR Number    : FG-IR-20-231
Date         : May 30, 2021
Risk         : 4/5
CVSSv3 Score : 8.9
Impact       : Improper Access Control
CVE ID       : CVE-2018-13382

Summary

An improper access control vulnerability in FortiProxy SSL VPN web portal may
allow an unauthenticated and remote attacker to change local SSL-VPN users'
passwords via specially crafted HTTP requests.

Impact

Improper Access Control

Affected Products

FortiProxy versions 2.0.0 FortiProxy versions 1.2.8 and below. FortiProxy
versions 1.1.6 and below. FortiProxy versions 1.0.7 and below.

Solutions

Please upgrade to FortiProxy versions 1.2.9 or above. Please upgrade to
FortiProxy versions 2.0.1 or above.

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.


- --------------------------------------------------------------------------------


FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests

IR Number    : FG-IR-20-233
Date         : May 30, 2021
Risk         : 4/5
CVSSv3 Score : 8.9
Impact       : Information Disclosure
CVE ID       : CVE-2018-13379

Summary

A path traversal vulnerability in the FortiProxy SSL VPN web portal may allow a
non-authenticated, remote attacker to download FortiProxy system files through
specially crafted HTTP resource requests.

Impact

Information Disclosure

Affected Products

FortiProxy versions 2.0.0 FortiProxy versions 1.2.8 and below. FortiProxy
versions 1.1.6 and below. FortiProxy versions 1.0.7 and below.

Solutions

Please upgrade to FortiProxy versions 1.2.9 or above. Please upgrade to
FortiProxy versions 2.0.1 or above.

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYLbtZeNLKJtyKPYoAQiksBAAh1iaO0G05bYy/gVk8uiRAC5T1e7KEI7Y
h57ZnJuvSCiTDSNX4llFYj/C38G3nxVueGxkrZA64C4ezjI/HJOJ/xbmaqoJeZsB
qjOuJXQD9IocrdKce4r10NoCwWnao1b1pfqGnVhQ/VngVXXejPij/pfSg65egURj
PvvAxuZgdQoxHImKMbBj8aBI13/6c0vLuAGiMLLIoJB88eXUPtJBSnOsyB+FDxfC
MAh3//0C2DMCBBZff+nKjpyR90NPYPO/ZWg1Gp5p8M4MwosMLotWx1vOF4YvnC0a
EsmYFqH/wyPfue8e5wyu6XlTFG3h2SPtl+j3Mfuecm824wj/xBjjiNIwDnU2w/gp
XwYAuY35wj8EZgxNOrtPpG0IPhrRPI+5dwu8Dk6H9d4dBiHt7JogNpp21mdRZnZq
RPBaktkO7B/ASqUans6rNtwLtEUaikEOUknA+vbHZwvFSXOcKtIfve4x4XGUqM6b
1Ccq1vrnYBLiSe/nZRWNyww9aEPGIhUIUQK4/R+ydEGCm62SLzIhSuEfN9MibbBQ
rgZIEGrI2xaikcGrqTgKX2PMPs/OQP3u3yceIivd3fJ/S7GfVTUiO7GSxiAfQIda
YP3EgcdMq9TUqXfVsL8SyKqCN2WTAprYRBNr2EiplwvVDlBKIEQ7qTmo+RwcbDfB
xgdsjd/P00Q=
=Q+tt
-----END PGP SIGNATURE-----