There doesn’t seem to be much value for an attacker to terminate a web service.

Seems after this analysis the risk was updated around July 2019 to be a high severity vulnerability. Technically this is a heap overflow with the potential side effect of SSL VPN web service termination for logged in users, however the bug may also result in remote code execution. @wwoolwine-r7’s assessment in my opinion fails to appropriately take this into account as it considers the side effect the main impact of this bug, rather than the fact that this can and has been exploited in the wild for remote code execution.

A full technical writeup of this bug can be found at https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html where it is noted that this is a post auth vulnerability that occurs due to a memcpy into a heap buffer using the code memcpy(buffer, js_buf, js_buf_len);. It also notes that buffer is a fixed 0x2000 byte long buffer however the length of js_buf is not limited and can be as long as the attacker wants it to be. They also note that to trigger this bug, an attacker would need to host their own HTTP server. They would then use the SSL VPN web-mode, which allows users to connect to various resources such as HTTP, FTP, RDP, etc via their web browser and will result in the SSL VPN server to requesting resources on their behalf, to connect to the malicious HTTP server and fetch their exploit on their behalf, which will result in the heap overflow.

Exploitation of this vulnerability can be prevented by ensuring all users have secure passwords with a mix of alphanumberic, uppercase, lowercase, and symbols of at least 20 characters or more. Remember that in general whilst having a mix of characters is good, length generally tends to help more than the mix of characters, however it is still highly recommended to use a mix of characters wherever possible.

Exploitation can also be prevented by disabling SSL VPN web-mode, and using SSL VPN tunnel-mode instead as it is not impacted.