Fortinet has released a hotfix Addressed 15 security flawsIt contains one critical vulnerability affecting FortiOS and FortiProxy that could allow an attacker to take control of the affected system.
The issue is tracked as CVE-2023-25610which has a severity rating of 9.3 out of 10 and was discovered and reported internally by our security team.
A buffer underwriting (“buffer underflow”) vulnerability in the FortiOS and FortiProxy management interface could allow a remote, unauthenticated attacker to execute arbitrary code on the device via specially crafted requests. or do a DoS in the GUI. ” Said in advisory.
Other possible consequences include memory corruption, which can be weaponized to induce crashes or execute arbitrary code.
Fortinet said it was not aware of any malicious exploitation attempts for this flaw. Action is essential.
The following versions of FortiOS and FortiProxy are affected –
- FortiOS versions 7.2.0 through 7.2.3
- FortiOS versions 7.0.0 through 7.0.9
- FortiOS versions 6.4.0 through 6.4.11
- FortiOS versions 6.2.0 through 6.2.12
- FortiOS 6.0 All versions
- FortiProxy version 7.2.0 to 7.2.2
- FortiProxy version 7.0.0 to 7.0.8
- FortiProxy version 2.0.0 to 2.0.11
- FortiProxy 1.2 All versions
- FortiProxy 1.1 All versions
The fix is available for FortiOS versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0. FortiOS-6K7K versions 6.2.13, 6.4.12, and 7.0.10. FortiProxy versions 2.0.12, 7.0.9, and 7.0.9.
As a workaround, Fortinet advises users to disable the HTTP/HTTPS management interface or limit the IP addresses that can access it.
The disclosure comes several weeks after the network security firm issued fixes for 40 vulnerabilities. Two of them are rated Critical and affect the FortiNAC (CVE-2022-39952) and FortiWeb (CVE-2021-42756) products.