PSIRT Advisory

FortiAP system files overwrite via the tcpdump CLI command

Summary

An improper input validation (CWE-20) vulnerability in FortiAP CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.

Impact

Improper Input Validation

Affected Products

FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below

FortiAP-U 6.0.1 and below

FortiAP is not impacted

FortiAP-C is not impacted

Solutions

Upgrade to FortiAP-S/W2 6.0.6 or 6.2.3 and above

Upgrade to FortiAP-U 6.0.2 or above


Revision History:
02-10-2020 Initial version
05-25-2020 Added FAP, FAP-U and FAP-C impact info.

Acknowledgement

Fortinet is pleased to thank “NYC Cyber Command” for reporting this vulnerability under responsible disclosure.