Fortinet has discovered a “Critical” vulnerability affecting FortiOS & FortiProxy. It enables an unauthenticated attacker to run arbitrary code or result in a service denial (DoS) to the GUI of susceptible devices via carefully crafted queries.
This kind of bug happens when software attempts to read more data from a memory buffer that is accessible, which leads to accessing adjacent memory locations and potentially unsafe behavior or crashes. The CVSS v3 score for this buffer underflow vulnerability is 9.3, making it critical. It is tagged as CVE-2023-25610.
According to the security alert released by Fortinet (FortiOS & FortiProxy) yesterday, the following products are affected even though the company is not currently aware of any instances of active exploitation in the wild:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS version 6.2.0 through 6.2.12
- FortiOS 6.0, all versions
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.8
- FortiProxy version 2.0.0 through 2.0.11
- FortiProxy 1.2, all versions
- FortiProxy 1.1, all versions
The target upgrade versions that fix the CVE-2023-25610 vulnerability are:
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.10 or above
- FortiOS version 6.4.12 or above
- FortiOS version 6.2.13 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.9 or above
- FortiProxy version 2.0.12 or above
- FortiOS-6K7K version 7.0.10 or above
- FortiOS-6K7K version 6.4.12 or above
- FortiOS-6K7K version 6.2.13 or above
Even if they use a vulnerable FortiOS version, Fortinet claims that fifty of the device models listed in the security warning are not affected by the arbitrary code execution portion of the bug but only the denial of service element. Administrators need to implement the available security upgrades as soon as feasible because device models not included in the alert are also susceptible to these problems.
Fortinet advises the workarounds of deactivating the HTTP/HTTPS administrative interface or limiting the IP addresses that can access it remotely for those who are unable to install the updates. The security warning contains instructions on how to use the workarounds, which also address situations where non-default ports are used.
Threat actors keep a watch out for Fortinet products FortiOS & FortiProxy with critical-severity defects, especially those that can be exploited without authentication, as they offer a way to get initial access to corporate networks. It is crucial to reduce this vulnerability as result swiftly.
For instance, on February 16, Fortinet patched two serious remote code execution vulnerabilities affecting the FortiNAC and FortiWeb products, urging customers to install the security upgrades promptly. Only four days later, a workable proof-of-concept attack to take advantage of the issue was made public, and on February 22, 2023, actual exploitation in the wild started.
Conclusion
A major vulnerability affecting FortiOS and FortiProxy that might allow a threat actor to take control of impacted systems is one of 15 security issues that Fortinet has fixed. Internally detected and reported by its security staff, the problem—tracked as CVE-2023-25610—is rated 9.3 out of 10 for severity.
A Fortinet advisory claims that a “buffer underwrite (or “buffer underflow”) weakness and a remote, unauthenticated attacker might use FortiOS and the FortiProxy administrative interface to run arbitrary code on the device and/or carry out a Denial of Service attack on the GUI, via specifically crafted requests. When input data is shorter than the space allotted, a condition known as a buffer underrun, often referred to as an underflow problem occurs. It can cause unpredictable behavior or the release of sensitive information from memory.
Additional outcomes could include memory corruption, which could be used as a weapon to trigger a crash or run arbitrary code. According to Fortinet, it is unaware of any malicious attempts to exploit the weakness. But, it’s imperative that consumers act swiftly to deploy the updates because previous software faults have been actively exploited in the wild.
