PSIRT Advisory

Format String Vulnerability in SSH username

Summary

There is a format string vulnerability in the SSH username handling when connecting to FortiOS 5.6.0 and lower, that may lead to memory corruption.

Impact

Execute unauthorized code or commands

Affected Products

FortiOS 5.6.0 and below
The following Fortinet products are NOT affected:
FortiOS :
5.4 branch: not vulnerable
5.2 branch: not vulnerable
FortiAnalyzer
FortiManager


Solutions

Upgrade to FortiOS 5.6.1 or above.
Workaround: Configure the trusthost feature to only allow trusted administrators to use SSH and deny others.

Acknowledgement

Fortinet thanks Simone Cardona for reporting this vulnerability.