FortiOS / FortiProxy - Access to NULL pointer in SSL VPN portal

Summary

An access of uninitialized pointer vulnerability [CWE-824] in the SSL VPN portal of FortiOS & FortiProxy may allow a remote unauthenticated or authenticated (see Affected Products section) attacker to crash the sslvpn daemon via an HTTP GET request.

Affected Products

No need to be authenticated to provoke a crash:
FortiOS version 6.4.4 through 6.4.9
FortiOS version 7.0.0 through 7.0.5
FortiOS version 7.2.0

FortiProxy version 7.0.0 through 7.0.4

Need to be authenticated to provoke a crash:
FortiOS 6.0 all versions
FortiOS version 6.2.0 through 6.2.10
FortiOS version 6.4.0 through 6.4.3

FortiProxy version 1.2.6 through 1.2.13
FortiProxy version 2.0.0 through 2.0.9

Solutions

Upgrade FortiOS to version 7.2.2 and above,
Upgrade FortiOS to version 7.0.7 and above,
Upgrade FortiOS to version 6.4.10 and above,
Upgrade FortiOS to version 6.2.11 and above.

Upgrade FortiProxy to version 7.2.1 and above,
Upgrade FortiProxy to version 7.0.7 and above,
Upgrade FortiProxy to version 2.0.10 and above.

Acknowledgement

Internally discovered in the frame of an internal audit.