In this cybersecurity threat advisory, Fortinet and SonicWall both advised of vulnerabilities found in their products. Fortinet shared that FortiOS and FortiProxy has a critical vulnerability where successful exploitation of the vulnerability allows an attacker to perform remote arbitrary code execution. SonicWall announced fifteen different vulnerabilities which when exploited together can allow an attacker to bypass authentication. Barracuda MSP recommends applying security updates to these systems immediately.
What is the threat?
The vulnerability in FortiOS and FortiProxy (CVE-2023-33308) is a stack overflow vulnerability that can lead to remote arbitrary code execution. Bad actors can send targeted packets to the proxy/firewall policies that will exceed the buffer size, resulting in data overflow. The overflown data can allow the attacker to execute malicious code on the device. The vulnerability exists in the following versions:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.10
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.9
SonicWall has announced a group of fifteen vulnerabilities – four of which are classified as critical:
- CVE-2023-34124 – Web Service Authentication Bypass
- CVE-2023-34133 – Multiple Unauthenticated SQL Injection Issues & Security Filter Bypass
- CVE-2023-34134 – Password Hash Read via Web Service
- CVE-2023-34137 – CAS Authentication Bypass
When these vulnerabilities are exploited together, a remote attacker can bypass authentication and view data they normally don’t have access to. In addition, attackers can establish persistence by modifying data on the SonicWall device. The vulnerabilities exist in the following versions:
- GMS 9.3.2-SP1 or earlier
- Analytics 2.5.0.4-R7 or earlier
Why is it noteworthy?
Fortinet and SonicWall products are used by businesses globally. The severity of the vulnerabilities makes them an attractive target for attackers. The Fortinet vulnerability CVE-2023-33308 is especially noteworthy for its potential to enable remote arbitrary code execution.
What is the exposure or risk?
The vulnerabilities in both Fortinet and SonicWall products pose a significant risk to all organizations. Firewall functions are critical for maintaining proper security posture, and the compromise of an organization’s firewall can expose vulnerable devices in the environment to further compromise. Successful exploitation can lead to data breaches, disruption of service, and potential financial loss.
What are the recommendations?
Barracuda MSP recommends the following actions to secure your environment against these vulnerabilities:
- Upgrade FortiOS/FortiProxy to the following versions:
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.11 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.10 or above
- If an immediate upgrade to the Fortinet products is not possible, disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies using proxy mode
- Upgrade SonicWall products to the following versions:
- GMS 9.3.3 or above
- Analytics 2.5.2 or above
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaw-in-fortios-fortiproxy-devices/
- https://www.bleepingcomputer.com/news/security/300-000-plus-fortinet-firewalls-vulnerable-to-critical-fortios-rce-bug/
- https://docs.fortinet.com/document/fortigate/7.0.0/new-features/710924/http-2-support-in-proxy-mode-ssl-inspection
- https://www.bleepingcomputer.com/news/security/sonicwall-warns-admins-to-patch-critical-auth-bypass-bugs-immediately/
- https://thehackernews.com/2023/07/new-vulnerabilities-disclosed-in.html
If you have any questions regarding this Cybersecurity Threat Advisory, please contact our Security Operations Center.