Fortinet has disclosed a critical severity flaw impacting FortiOS and FortiProxy, allowing a remote attacker to perform arbitrary code execution on vulnerable devices.
The flaw, discovered by cybersecurity firm Watchtowr is tracked as CVE-2023-33308 and has received a CVS v3 rating of 9.8 out of 10.0, rating it “critical.”
“A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection,” warns Fortinet in a new advisory.
A stack-based overflow is a security problem that occurs when a program writes more data to a buffer located on the stack (memory region) than what is allocated for the buffer, resulting in data overflowing to adjacent memory locations.
An attacker can exploit these types of flaws by sending specially crafted input that exceeds the buffer’s capacity to overwrite critical memory parameters relating to functions, achieving malicious code execution.
The flaw impacts the following FortiOS versions:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.10
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.9
Fortinet clarified that the issue was resolved in a previous release without a corresponding advisory, so it does not impact the latest release branch, FortiOS 7.4.
Fixes for CVE-2023-33308 have been provided in the following versions:
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.11 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.10 or above
The Fortinet advisory has clarified that FortiOS products from the 6.0, 6.2, 6.4, 2.x, and 1.x release branches are not impacted by CVE-2023-33308.
CISA has also published an alert about the vulnerability, urging impacting organizations to apply the available security update.
If admins are unable to apply the new firmware immediately, Fortinet says you can disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode as a workaround.
Fortinet has provided the following example of a custom-deep-inspection profile that disabled HTTP/2 support:
config firewall ssl-ssh-profile
edit "custom-deep-inspection"
set supported-alpn http1-1
next
end
Fortinet patch lag
Another FortiOS buffer overflow vulnerability tracked as CVE-2023-27997 has recently highlighted the problem of patch lag.
Offensive security solutions firm Bishop Fox reported finding 335,900 vulnerable FortiGate firewalls exposed on the internet, a whole month after the vendor made a fix available for the actively exploited bug.
Threat actors are always looking for critical-severity flaws impacting Fortinet products, especially those that require no authentication to exploit, as they provide an easy way to gain initial access to valuable corporate networks.
That said, users and admins of products running FortiOS are urged to check their software release and ensure that they’re running a safe version.