A vulnerability, which was classified as problematic, was found in Fortinet FortiOS up to 6.0.6/6.2.1 (Firewall Software). This affects an unknown functionality of the component SSL VPN Portal. The manipulation as part of a POST Request leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on availability. The summary by CVE is:

An Improper Input Validation vulnerability in the SSL VPN portal of FortiOS versions 6.2.1 and below, and 6.0.6 and below may allow an unauthenticated remote attacker to crash the SSL VPN service by sending a crafted POST request.

The weakness was shared 11/27/2019 by Qingtang Zheng as FG-IR-19-236 as confirmed security advisory (Website). The advisory is shared at fortiguard.com. The vendor cooperated in the coordination of the public release. This vulnerability is uniquely identified as CVE-2019-15705 since 08/27/2019. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available. The advisory points out:

An Improper Input Validation vulnerability in the SSL VPN portal of FortiOS may allow an unauthenticated remote attacker to crash the SSL VPN service by sending a crafted POST request.

Upgrading to version 6.0.7 or 6.2.2 eliminates this vulnerability.

Productinfo

Type

• Firewall Software

Vendor

• Fortinet

Name

• FortiOS

Version

• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.2.0
• 6.2.1

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion