Fortinet has released information concerning a FortiOS & FortiProxy Heap Buffer administrative interface vulnerability with a CVSS score of 9.3. The vulnerability allows an unauthenticated attacker to execute commands on the device and/or perform a denial-of-service (DoS) attack on the graphical user interface (GUI) through specially crafted HTTP requests. Barracuda SOC recommends updating affected FortiOS & FortiProxy products with the latest patch releases as soon as possible.
What is the threat?
A buffer underflow vulnerability exists in the FortiOS & FortiProxy administrative interface, which allows an unauthenticated remote attacker to carry out arbitrary code on the device and/or perform a DoS attack on the GUI via specifically crafted requests. Fortinet stated this vulnerability allows a DOS attack on certain hardware. There is no known instance where this vulnerability was exploited in the wild. The vulnerability was discovered internally within the fame of reviewing and testing the security of Fortinet’s products.
Why is it noteworthy?
It is important to be aware of critical-severity flaws impacting Fortinet products, especially when it does not require authentication to exploit since it opens a gateway to gain initial access to corporate networks.
An example being, on February 16, 2023, Fortinet was able to fix two remote code execute flaws which impacted FortiNAC and FortiWeb products where users were asked to apply security immediately. Only four days later February 22, 2023, a proof-of concept exploit to leverage the flaw was made public and an active exploitation began.
What is the exposure or risk?
When exploited, the unauthenticated attacker can execute arbitrary code or perform DoS attacks which can allow a malicious actor to compromise a system.
The following FortiOS versions are vulnerable:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS version 6.2.0 through 6.2.12
- FortiOS 6.0 all versions
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.8
- FortiProxy version 2.0.0 through 2.0.11
- FortiProxy 1.2 all versions
- FortiProxy 1.1 all versions
What are the recommendations?
Barracuda SOC recommends the following actions to limit the impact of a unauthenticated remote code execution attack:
- Upgrade to the following versions
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.10 or above
- FortiOS version 6.4.12 or above
- FortiOS version 6.2.13 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.9 or above
- FortiProxy version 2.0.12 or above
- FortiOS-6K7K version 7.0.10 or above
- FortiOS-6K7K version 6.4.12 or above
- FortiOS-6K7K version 6.2.13 or above
- Workaround to block incoming attacks if you cannot immediately deploy security updates:
- Disable HTTP/HTTPS administrative interface
- Limit IP addresses that can reach the administrative interface:
- config firewall address > edit “my_allowed_addresses” > set subnet <MY IP> <MY SUBNET>
- end
- Then create an Address Group:
- config firewall addrgrp > edit “MGMT_IPs” > set member “my_allowed_addresses”
- end
- Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
- config firewall local-in-policy
- edit 1
- set intf port1
- set srcaddr “MGMT_IPs”
- set dstaddr “all”
- set action accept
- set service HTTPS HTTP
- set schedule “always”
- set status enable
- next
- edit 2
- set intf “any”
- set srcaddr “all”
- set dstaddr “all”
- set action deny
- set service HTTPS HTTP
- set schedule “always”
- set status enable
- end
If using non default ports, create appropriate service object for GUI administrative access:
-
- config firewall service custom
- edit GUI_HTTPS
- set tcp-portrange <admin-sport>
- next
- edit GUI_HTTP
- set tcp-portrange <admin-port>
- end
Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.
When using an HA reserved management interface, the local in policy needs to be configured slightly differently – please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.fortiguard.com/psirt/FG-IR-23-001
- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-unauthenticated-rce-vulnerability/
- https://securityonline.info/cve-2023-25610-critical-vulnerability-affects-fortios-fortiproxy/
- https://www.nuspire.com/blog/fortinet-releases-advisory-on-critical-fortios-vulnerability/
If you have any questions, please contact the Barracuda Security Operations Center.