Fortinet has released a hotfix Addressed 15 security flawsIt contains one critical vulnerability affecting FortiOS and FortiProxy that could allow an attacker to take control of the affected system.
The issue is tracked as CVE-2023-25610which has a severity rating of 9.3 out of 10 and was discovered and reported internally by our security team.
A buffer underwriting (“buffer underflow”) vulnerability in the FortiOS and FortiProxy management interface could allow a remote, unauthenticated attacker to execute arbitrary code on the device via specially crafted requests. or do a DoS in the GUI. โ Said in advisory.
underflow bugalso called buffer underrunoccurs when the input data is shorter than the reserved space, causing unexpected behavior and exposing sensitive data from memory.
Other possible consequences include memory corruption, which can be weaponized to induce crashes or execute arbitrary code.
Fortinet said it was not aware of any malicious exploitation attempts for this flaw. Action is essential.
The following versions of FortiOS and FortiProxy are affected –
- FortiOS versions 7.2.0 through 7.2.3
- FortiOS versions 7.0.0 through 7.0.9
- FortiOS versions 6.4.0 through 6.4.11
- FortiOS versions 6.2.0 through 6.2.12
- FortiOS 6.0 All versions
- FortiProxy version 7.2.0 to 7.2.2
- FortiProxy version 7.0.0 to 7.0.8
- FortiProxy version 2.0.0 to 2.0.11
- FortiProxy 1.2 All versions
- FortiProxy 1.1 All versions
The fix is โโavailable for FortiOS versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0. FortiOS-6K7K versions 6.2.13, 6.4.12, and 7.0.10. FortiProxy versions 2.0.12, 7.0.9, and 7.0.9.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
As a workaround, Fortinet advises users to disable the HTTP/HTTPS management interface or limit the IP addresses that can access it.
The disclosure comes several weeks after the network security firm issued fixes for 40 vulnerabilities. Two of them are rated Critical and affect the FortiNAC (CVE-2022-39952) and FortiWeb (CVE-2021-42756) products.
