Critical FortiOS and FortiProxy Vulnerability – FG-IR-23-001

Critical FortiOS and FortiProxy Vulnerability – FG-IR-23-001: Fortinet has just announced a critical vulnerability in all versions. A buffer underwrite (‘buffer underflow’) vulnerability in FortiOS & FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests. The impact would be direct access to the administration interface.

 

The highest severity issue fixed in this release is CRITICAL.

This vulnerability has a CVSS higher than 9. It’s already patched in the latest versions of FortiOS. Still, it’s not mentioned in their release notes. And the related PSIRT advisory from FortiGuardLabs is now publicly accessible. Fortinet is not aware of any instance where this vulnerability was exploited in the wild.

 

IR Number: FG-IR-23-001
Date: March 7, 2023
CVSSv3 Score: 9.3
Impact: Denial of service
CVE ID: CVE-2023-25610

 

Affected Products:
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12
FortiOS 6.0 all versions
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.8
FortiProxy version 2.0.0 through 2.0.11
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions

Even when running a vulnerable FortiOS version, the hardware devices listed below are *only* impacted by the DoS part of the issue, *not* by the arbitrary code execution (non-listed devices are vulnerable to both):

    FortiGateRugged-100C
    FortiGate-100D
    FortiGate-200C
    FortiGate-200D
    FortiGate-300C
    FortiGate-3600A
    FortiGate-5001FA2
    FortiGate-5002FB2
    FortiGate-60D
    FortiGate-620B
    FortiGate-621B
    FortiGate-60D-POE
    FortiWiFi-60D
    FortiWiFi-60D-POE
    FortiGate-300C-Gen2
    FortiGate-300C-DC-Gen2
    FortiGate-300C-LENC-Gen2
    FortiWiFi-60D-3G4G-VZW
    FortiGate-60DH
    FortiWiFi-60DH
    FortiGateRugged-60D
    FortiGate-VM01-Hyper-V
    FortiGate-VM01-KVM
    FortiWiFi-60D-I
    FortiGate-60D-Gen2
    FortiWiFi-60D-J
    FortiGate-60D-3G4G-VZW
    FortiWifi-60D-Gen2
    FortiWifi-60D-Gen2-J
    FortiWiFi-60D-T
    FortiGateRugged-90D
    FortiWifi-60D-Gen2-U
    FortiGate-50E
    FortiWiFi-50E
    FortiGate-51E
    FortiWiFi-51E
    FortiWiFi-50E-2R
    FortiGate-52E
    FortiGate-40F
    FortiWiFi-40F
    FortiGate-40F-3G4G
    FortiWiFi-40F-3G4G
    FortiGate-40F-3G4G-NA
    FortiGate-40F-3G4G-EA
    FortiGate-40F-3G4G-JP
    FortiWiFi-40F-3G4G-NA
    FortiWiFi-40F-3G4G-EA
    FortiWiFi-40F-3G4G-JP
    FortiGate-40F-Gen2
    FortiWiFi-40F-Gen2

Solution:

  • FortiOS: Upgrade to version 7.4.0,
  • FortiOS: Upgrade to version 7.2.4,
  • FortiOS: Upgrade to version 7.0.10,
  • FortiOS: Upgrade to version 6.4.12,
  • FortiOS: Upgrade to version 6.2.13.
  • FortiProxy: Upgrade to version 7.2.3,
  • FortiProxy: Upgrade to version 7.0.9,
  • FortiProxy: Upgrade to version 2.0.12,
  • FortiProxy-6K7K: Upgrade to version 7.0.10,
  • FortiProxy-6K7K: Upgrade to version 6.4.12,
  • FortiProxy-6K7K: Upgrade to version 6.2.13.

 

Workaround for FortiOS:

Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface:

    config firewall address
    edit “my_allowed_addresses”
    set subnet
    end

Then create an Address Group:

    config firewall addrgrp
    edit “MGMT_IPs”
    set member “my_allowed_addresses”
    end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

    config firewall local-in-policy
    edit 1
    set intf port1
    set srcaddr “MGMT_IPs”
    set dstaddr “all”
    set action accept
    set service HTTPS HTTP
    set schedule “always”
    set status enable
    next
    edit 2
    set intf “any”
    set srcaddr “all”
    set dstaddr “all”
    set action deny
    set service HTTPS HTTP
    set schedule “always”
    set status enable
    end

If using non default ports, create appropriate service object for GUI administrative access:

    config firewall service custom
    edit GUI_HTTPS
    set tcp-portrange
    next
    edit GUI_HTTP
    set tcp-portrange
    end

Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.

All users of Fortigate should use this time to inventory instances of Fortigate and prepare for immediate patching when this is released. We recommend that you begin identifying your vulnerable systems now and prepare to patch (schedule a Task Force especially) soon as possible.

Source: https://www.fortiguard.com/psirt/FG-IR-23-001

Organizations, users, get ready! We’ll keep you updated.

 
 

Important Vulnerability in VMware ESXi: Blog Post
The core function of a SOC: Blog Post
Play ransomware infection routine: Blog Post
Identify a piece of malware with Yara: Blog Post
New Veeam v12 Platform Overview: Blog Post
OpenSSL patch (v3.0.7) for Vulnerability 2022: Blog Post
Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post

Please follow and like us:
Advertisement
error

Enjoy this blog? Please spread the word :)