Format String Bug in HTTPSd


A format string vulnerability [CWE-134] in the HTTPSd daemon of FortiOS, FortiProxy and FortiPAM may allow an authenticated user to execute unauthorized code or commands via specially crafted API requests.

Version Affected Solution
FortiOS 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiOS 7.2 7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
FortiOS 7.0 7.0.0 through 7.0.11 Upgrade to 7.0.12 or above
FortiOS 6.4 6.4.0 through 6.4.12 Upgrade to 6.4.13 or above
FortiOS 6.2 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above
FortiOS 6.0 6.0 all versions Migrate to a fixed release
FortiPAM 1.2 Not affected Not Applicable
FortiPAM 1.1 1.1.0 Upgrade to 1.1.1 or above
FortiPAM 1.0 1.0 all versions Migrate to a fixed release
FortiProxy 7.4 Not affected Not Applicable
FortiProxy 7.2 7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
FortiProxy 7.0 7.0.0 through 7.0.10 Upgrade to 7.0.11 or above
Follow the recommended upgrade path using our tool at:

Virtual Patch named "FortiOS.FortiSASE.Daemon.Format.String." is available in FMWP db update 23.104
This vulnerability is not directly related to SSLVPNd, disabling it is NOT a valid workaround.
The attacker must have Read/Write privileges on the administrative interface to perform this attack.
Although "trusted host" mitigation might limit potential exploitations, it should not be considered as a valid workaround.
Efficient workarounds are either to upgrade to a fixed release or to apply virtual patch above.
edited on: 2023-12-15 11:07


Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team in the frame of an internal audit of the SSL-VPN component.


2023-12-08: Initial publication
2024-01-10: Virtual patch renamed "FortiOS.HTTPSd.Daemon.CVE-2023-36639.Memory.Corruption"