A ‘critical’ severity flaw has been detected inFortiOS and FortiProxy, identified as CVE-2023-33308 (CVSS rating 9.8). A remote attacker can use the vulnerability on susceptible devices to execute Fortinet arbitrary code.
“A stack-based overflow vulnerability [CWE-124] in FortiOS&FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection”, reads the advisory published by Fortinet.
When a program writes more data than is allotted for a buffer on the stack (a memory region), causing data to overflow to neighboring memory regions, this is known as a stack-based overflow and is a security issue.
By providing specifically crafted input that exceeds the buffer’s limit, an attacker might take advantage of these defects to rewrite critical memory parameters related to functions and execute malicious code.
Researchers from the security firm Watchtowr uncovered the flaw.
Impacted FortiOSVersions
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.10
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.9
Versions Not Affected
- FortiOS 6.4 all versions
- FortiOS 6.2 all versions
- FortiOS 6.0 all versions
- FortiProxy 2.x all versions
- FortiProxy 1.x all versions
Fixes Available
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.11 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.10 or above
The warning also recommends disabling HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies in proxy mode to solve the problem.
Fortinet has shared an example of a custom-deep-inspection profile that disables HTTP/2 support:
In addition, fixes for a medium-severity FortiOS vulnerability were published on Tuesday, which might allow an attacker to reuse a deleted user’s session.
The weakness, identified as CVE-2023-28001, occurs because an “existing WebSocket connection persists after deleting API admin.”
Hence, the cybersecurity firm recommends removing HTTP/2 support on SSL inspection profiles to prevent exploitation.