CVE-2021-43072: Classic Buffer Overflow in Fortinet Products

CVE-2021-43072 refers to a security vulnerability discovered in various Fortinet products, including FortiAnalyzer, FortiManager, FortiProxy, and FortiOS versions. A classic buffer overflow occurs when the buffer size is not properly checked while copying the input, which allows an attacker to execute unauthorized code or commands. This post will detail the exploit information, code snippets, and original references.

Here are the affected products and versions

1. FortiAnalyzer version 7..2 and below, version 6.4.7 and below, version 6.2.9 and below, version 6..11 and below, and version 5.6.11 and below
2. FortiManager version 7..2 and below, version 6.4.7 and below, version 6.2.9 and below, version 6..11 and below, and version 5.6.11 and below

Exploit Details

The vulnerability allows an attacker to execute unauthorized code or commands by using crafted CLI (command-line interface) execute restore image and execute certificate remote operations with the TFTP (trivial file transfer protocol) protocol. As a result, an attacker can potentially gain unauthorized access to sensitive data, manipulate system configurations, or cause a denial of service (DoS) by crashing the affected devices.

Here is a code snippet that demonstrates how the buffer overflow can occur

#include <stdio.h>
#include <string.h>

void copy_data(char *input) {
  char buffer[128];  // Fixed-size buffer
  strcpy(buffer, input);  // Copies input to buffer without checking size
}

int main() {
  char malicious_input[256];
  memset(malicious_input, 'A', 256);  // Creates malicious input with larger size
  copy_data(malicious_input);  // Triggers buffer overflow
  return ;
}

The above code snippet shows that the copy_data function uses strcpy to copy the content of input into a fixed-size buffer without checking its size. This leads to a buffer overflow when the input size is larger than the buffer size.

Fortinet has released security advisories addressing this vulnerability

1. FortiAnalyzer advisory
2. FortiManager advisory
3. FortiOS advisory
4. FortiProxy advisory

Additionally, you can find the CVE-2021-43072 entry in the National Vulnerability Database (NVD).

Recommendations

To protect your systems from this vulnerability, Fortinet recommends upgrading to the latest versions of the affected products:

For FortiProxy, upgrade to version 7..4 or 2..9.

You should also enable the built-in intrusion prevention system (IPS) to help detect and block attacks targeting this vulnerability. Furthermore, it's essential to follow security best practices, such as monitoring network traffic, limiting users' privileges, and using strong passwords.

Conclusion

The CVE-2021-43072 classic buffer overflow vulnerability affects various Fortinet products, allowing attackers to execute unauthorized code or commands. This post has provided information on the exploit details, code snippets, and recommendations on how to protect your systems. Always keep your systems updated with the latest patches and follow security best practices to minimize the risk of exploit.

Timeline

Published on: 07/18/2023 03:15:54 UTC
Last modified on: 11/07/2023 03:39:17 UTC