Heap-based buffer overflow in cw_acd daemon
Summary
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiSwitchManager cw_acd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | Upgrade to 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.17 | Upgrade to 7.0.18 or above |
| FortiOS 6.4 | 6.4.0 through 6.4.16 | Upgrade to upcoming 6.4.17 or above |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiSwitchManager 7.0 | 7.0.0 through 7.0.5 | Upgrade to 7.0.6 or above |
Workarrounds :
For each interface, remove “fabric” access. For example change :
config system interface
edit “port1”
set allowaccess fabric ssh https
next
end
to :
config system interface
edit “port1”
set allowaccess ssh https
next
end
or disallow access to the capwap daemon :
For each interface with the “fabric” service, block CAPWAP-CONTROL access to port 5246 to 5249 through a local-in policy.
config firewall service custom
edit “CAPWAP-CONTROL”
set udp-portrange 5246-5249
next
end
config firewall addrgrp
edit “CAPWAP_DEVICES_IPs”
set member “my_allowed_addresses”
end
config firewall local-in-policy
edit 1 (allow from trusted devices)
set intf “port1” (where fabric is enabled)
set srcaddr “CAPWAP_DEVICES_IPs”
set dstaddr “all”
set service “CAPWAP-CONTROL”
set schedule “always”
set action accept
next
edit 2 (block everyone else)
set intf “port1” (where fabric is enabled)
set srcaddr “all’
set dstaddr “all”
set service “CAPWAP-CONTROL”
set schedule “always”
set action deny
next
end