Overview
Fortinet warns of a new critical buffer underwrite vulnerability that affects FortiOS and FortiProxy. Tracked as CVE-2023-25610, this vulnerability allows an unauthenticated attacker to execute an arbitrary code or denial of service attack on the graphic user interface of the device. However, the vulnerability was uncovered internally while reviewing and testing the security of the company’s products. As such, Fortinet is unaware of the flaw being exploited in the wild.
This Flaw Affects Multiple Devices, Including:
- FortiOS version 7.2.0 through 7.2.3,
- FortiOS version 7.0.0 through 7.0.9,
- FortiOS version 6.4.0 through 6.4.11,
- FortiOS version 6.2.0. through 6.2.12, and
- FortiOS 6.0 – all versions.
- FortiProxy version 7.2.0 through 7.2.2.
- FortiProxy version 7.0.0 through 7.0.8,
- FortiProxy version 2.0.0 through 2.0.11,
- FortiProxy 1.2 – all versions, and finally,
- FortiProxy 1.1 – all versions
Additionally, it is important to know that some hardware devices running an affected version of FortiOS are only impacted by the denial of service issue.
If users cannot update their devices, Fortinet has a workaround. The company suggests disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can remotely access it straight away.
However, if possible, you should update your current version if it is listed above as vulnerable.
Fortinet Recommends the Following Mitigations to Eliminate the Risk of this Vulnerability:
- FortiOS version 7.4.0 or above,
- FortiOS version 7.2.4 or above,
- FortiOS 7.0.10 or above,
- FortiOS 6.4.12 or above,
- FortiOS 6.2.13 or above,
- FortiProxy version 7.2.3 or above
- FortiProxy 7.0.9 or above,
- FortiProxy 2.0.12 or above,
- FortiOS-6K7K version 7.0.10 or above,
- FortiOS-6K7K version 6.4.12 or above, and lastly,
- FortiOS-6K7K version 6.2.13 or above.
In conclusion, staying current on patches and regularly checking for updates is important to ensure your devices and organization are not exposed to vulnerabilities. With this in mind, see the security updates below for more information on FortiOS and FortiProxy versions.
Sources
https://www.fortiguard.com/psirt/FG-IR-23-001 – FortiGuard Security Update
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-unauthenticated-rce-vulnerability/
https://www.helpnetsecurity.com/2023/03/09/cve-2023-25610/