- Fortinet released new versions of FortiOS and FortiProxt to fix a critical vulnerability that allows attackers to execute arbitrary code.
- The heap buffer underflow vulnerability in the administrative interface allows attackers to perform a DoS on the GUI, via specifically crafted requests.
- Fortinet announced that the company is not aware of any instance where this vulnerability was exploited in the wild.
Fortinet published a security advisory to warn users about a vulnerability, tracked as CVE-2023-25610, that has a CVSSv3 score of 9.3. Currently, the vulnerability is not under attack but Fortinet urged users to update their installations and also provided a workaround to users. Fortinet stated that there is evidence that shows any instances where this vulnerability is being exploited in the wild.
Workaround available
The vulnerability was internally discovered and reported by Kai Ni from the Burnaby InfoSec team. The buffer underwrite vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests. Affected products are:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS version 6.2.0 through 6.2.12
- FortiOS 6.0 all versions
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.8
- FortiProxy version 2.0.0 through 2.0.12
- FortiProxy 1.2 all versions
- FortiProxy 1.1 all versions
Even when running a vulnerable FortiOS version, the hardware devices listed below are only impacted by the DoS part of the issue, not by the arbitrary code execution (non-listed devices are vulnerable to both):
- FortiGateRugged-100C
- FortiGate-100D
- FortiGate-200C
- FortiGate-200D
- FortiGate-300C
- FortiGate-3600A
- FortiGate-5001FA2
- FortiGate-5002FB2
- FortiGate-60D
- FortiGate-620B
- FortiGate-621B
- FortiGate-60D-POE
- FortiWiFi-60D
- FortiWiFi-60D-POE
- FortiGate-300C-Gen2
- FortiGate-300C-DC-Gen2
- FortiGate-300C-LENC-Gen2
- FortiWiFi-60D-3G4G-VZW
- FortiGate-60DH
- FortiWiFi-60DH
- FortiGateRugged-60D
- FortiGate-VM01-Hyper-V
- FortiGate-VM01-KVM
- FortiWiFi-60D-I
- FortiGate-60D-Gen2
- FortiWiFi-60D-J
- FortiGate-60D-3G4G-VZW
- FortiWifi-60D-Gen2
- FortiWifi-60D-Gen2-J
- FortiWiFi-60D-T
- FortiGateRugged-90D
- FortiWifi-60D-Gen2-U
- FortiGate-50E
- FortiWiFi-50E
- FortiGate-51E
- FortiWiFi-51E
- FortiWiFi-50E-2R
- FortiGate-52E
- FortiGate-40F
- FortiWiFi-40F
- FortiGate-40F-3G4G
- FortiWiFi-40F-3G4G
- FortiGate-40F-3G4G-NA
- FortiGate-40F-3G4G-EA
- FortiGate-40F-3G4G-JP
- FortiWiFi-40F-3G4G-NA
- FortiWiFi-40F-3G4G-EA
- FortiWiFi-40F-3G4G-JP
- FortiGate-40F-Gen2
- FortiWiFi-40F-Gen2
Solution
Fortinet states that in order to patch the systems against the vulnerability, update the Fortinet products to the versions below:
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.10 or above
- FortiOS version 6.4.12 or above
- FortiOS version 6.2.13 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.9 or above
- FortiOS-6K7K version 7.0.10 or above
- FortiOS-6K7K version 6.4.12 or above
- FortiOS-6K7K version 6.2.13 or above
Workaround
Disable HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface:
config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
endThen create an Address Group:
config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
endCreate the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
endIf using non default ports, create appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
endUse these objects instead of “HTTPS HTTP” in the local-in policies 1 and 2. When using an HA-reserved management interface, the local-in policy needs to be configured slightly differently.