Fortinet has disclosed a “Critical” vulnerability impacting FortiOS and FortiProxy, which allows an unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) on the GUI of vulnerable devices using specially crafted requests.
This buffer underflow vulnerability is tracked as CVE-2023-25610 and has a CVSS v3 score of 9.3, rating it critical. This type of flaw occurs when a program tries to read more data from a memory buffer than is available, resulting in accessing adjacent memory locations, leading to risky behavior or crashes.
The security advisory published by Fortinet yesterday says that it’s not aware of any instances of active exploitation in the wild at this time, and it affects the following products:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS version 6.2.0 through 6.2.12
- FortiOS 6.0, all versions
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.8
- FortiProxy version 2.0.0 through 2.0.11
- FortiProxy 1.2, all versions
- FortiProxy 1.1, all versions
The target upgrade versions that fix the CVE-2023-25610 vulnerability are:
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.10 or above
- FortiOS version 6.4.12 or above
- FortiOS version 6.2.13 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.9 or above
- FortiProxy version 2.0.12 or above
- FortiOS-6K7K version 7.0.10 or above
- FortiOS-6K7K version 6.4.12 or above
- FortiOS-6K7K version 6.2.13 or above
Fortinet says that fifty device models, listed in the security bulletin, are not impacted by the arbitrary code execution component of the flaw but only the denial of service part, even if they run a vulnerable FortiOS version.
Device models not listed in the advisory are vulnerable to both issues, so administrators should apply the available security updates as soon as possible.
For those who cannot apply the updates, Fortinet suggests the workaround of disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can access it remotely.
Instructions on how to apply the workarounds, which also cover cases of non-default port usage, are included in the security advisory.
Threat actors keep an eye for critical-severity flaws impacting Fortinet products, especially those that require no authentication to exploit, as they provide a method to gain initial access to corporate networks. Due to this, it is imperative to mitigate this vulnerability quickly.
For example, on February 16, Fortinet fixed two critical remote code execution flaws impacting FortiNAC and FortiWeb products, calling users to apply the security updates immediately.
A working proof-of-concept exploit to leverage the flaw was made public only four days later, and active exploitation in the wild began on February 22, 2023.