PSIRT Advisory

SSL VPN buffer overrun when parsing javascript href content


A heap buffer overflow vulnerability in the FortiOS SSL VPN web portal may cause the SSL VPN web service termination for logged in users; this happens when an authenticated user visits a specifically crafted proxy-ed webpage, and this is due to a failure to handle javascript href content properly.

Exploiting this weakness to perform remote code execution has on the other hand not been proven to be feasible.


Denial of service

Affected Products

FortiOS all versions lower than 6.0.5


Upgrade to FortiOS 6.0.5 or 6.2.0


Disable the SSL-VPN web portal service by applying the following CLI commands:

config vpn ssl settings
unset source-interface

Revision History:

2019-04-02 Initial Version
2019-05-15 Add fix on 6.0 branch


Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.