Fortinet releases advisory on critical vulnerability
Vulnerability affecting FortiOS and FortiProxy, could allow remote code execution or DoS attacks
Fortinet has revealed details of "critical" vulnerability affecting FortiOS and FortiProxy, which could enable an unauthorised remote attacker to execute arbitrary code or initiate a denial of service (DoS) attack through HTTP requests that are specifically crafted.
The vulnerability, which has been assigned the CVE identifier CVE-2023-25610, is described as a buffer underflow vulnerability in the administrative interface of FortiOS and FortiProxy.
Rated as critical, the vulnerability has a CVSS v3 score of 9.3.
CVE-2023-25610 is a buffer underflow vulnerability, which occurs when a program attempts to read more data from a memory buffer than is actually available, causing it to access adjacent memory locations. As a result, the program may exhibit unpredictable or dangerous behaviour or even crash.
Fortinet says it has no reports so far of the vulnerability being exploited in the wild.
Fortinet products affected by the vulnerability are:
• FortiOS version 7.2.0 through 7.2.3
• FortiOS version 7.0.0 through 7.0.9
• FortiOS version 6.4.0 through 6.4.11
• FortiOS version 6.2.0 through 6.2.12
• FortiOS 6.0, all versions
• FortiProxy version 7.2.0 through 7.2.2
• FortiProxy version 7.0.0 through 7.0.8
• FortiProxy version 2.0.0 through 2.0.11
• FortiProxy 1.2, all versions
• FortiProxy 1.1, all versions
Fortunately, firmware upgrades and mitigations are available to address this vulnerability.
To address the flaw, admins should upgrade to FortiOS versions 7.4.0, 7.2.4, 7.0.10, 6.4.12 and 6.2.13 or newer.
For FortiProxy, versions 7.2.3, 7.0.9 and 2.0.12 or later should be used.
For FortiOS-6K7K, versions 7.0.10, 6.4.12 and 6.2.13 or later are recommended.
Fortinet has also provided a workaround for customers who are unable to immediately deploy security updates. Such customers are advised to either disable access to the HTTP/HTTPS administrative interface or limit the IP addresses that are allowed to access the administrative interface.
By implementing these measures, incoming attacks can be blocked until the necessary security updates are applied.
According to Fortinet, only the denial of service (DoS) aspect of the vulnerability affects fifty specific device models listed in the security bulletin.
All other models not listed in the advisory are vulnerable to both issues: DoS and arbitrary code execution.
It is therefore recommended that administrators of vulnerable devices apply the available security updates as soon as possible to address both issues.
The latest Fortinet advisory follows closely on the heels of security researchers publishing a proof-of-concept (PoC) exploit for a different critical vulnerability (CVE-2022-39952) found in Fortinet's FortiNAC network access control suite.
The details of CVE-2022-39952 were made public last month, and the flaw was assigned a severity score of 9.8.
Fortinet warned that the flaw could be used by an unauthenticated threat actor to write arbitrary files on the system, enabling the attacker to execute remote code with the highest level of privileges.
Researchers at cybersecurity firm Horizon3 published a technical article outlining the vulnerability and how it can be exploited.
Due to the severity of the vulnerability and the existence of a proof-of-concept (POC) exploit, administrators were advised to upgrade to unaffected versions of FortiNAC as soon as possible.