PSIRT Advisories
FortiOS & FortiProxy – Webproxy 拒絕服務
事件簡介:
FortiOS和FortiProxy中的使用漏洞[CWE-416]可能允許未經身分驗證的遠程攻擊者通過多個特製的數據封包,
來觸發代理策略或在代理模式下進行SSL封包檢查,進而導致 Web代理程式異常。
這意味著惡意攻擊者可以無需提供身分驗證,通過發送特殊封包来使Web代理停止工作。
| 受影響的產品(Affected Products): |
| FortiOS version 7.2.0 through 7.2.4 FortiOS version 7.0.0 through 7.0.10 FortiProxy version 7.2.0 through 7.2.2 FortiProxy version 7.0.0 through 7.0.8 |
| 解決方案(Solutions): |
| Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiOS version 7.2.5 or above Please upgrade to FortiOS version 7.0.11 or above Please upgrade to FortiProxy version 7.2.3 or above Please upgrade to FortiProxy version 7.0.9 or above |
FortiSASE 不再受影響,已於2023/Q2得到修復
| 確認(Acknowledgement): |
| 在Fortinet TAC調查期間內部發現 |
官方公告:
FortiOS & FortiProxy – Webproxy process denial of service