Rewterz Threat Advisory – CVE-2020-29010 – Multiple FortiGuard Security Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2020-29010

An exposure of sensitive information to an unauthorized actor vulnerability in FortiGate may allow a remote authenticated attacker to read the SSL VPN events log entries of users in other VDOMs by  executing “get vpn ssl monitor” from the CLI. The sensitive data includes usernames, user groups, and IP addresses.

CVE-2020-29015

A blind SQL injection in the user interface of FortiWeb may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.

CVE-2020-29016

A stack-based buffer overflow vulnerability in FortiWeb may allow an unauthenticated, remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large certname.

CVE-2020-29019

A stack-based buffer overflow vulnerability in FortiWeb may allow a remote, authenticated attacker to crash the httpd daemon thread by sending a request with a crafted cookie header.

CVE-2020-29018

A format string vulnerability in FortiWeb may allow an authenticated, remote attacker to read the content of memory and retrieve sensitive data via the redir parameter.

Impact

• Information disclosure
• Execute unauthorized code or commands
• Denial of service

Affected Vendors

FortiGuard

Affected Products

• FortiGate versions 6.0.10 and below
• FortiWeb versions 6.3.7 and below
• FortiWeb versions 6.3.5 and below

Remediation

Refer to vendor advisory for the complete list of affected products and their respective patches.

https://www.fortiguard.com/psirt?date=01-2021