Critical Unauthorized Remote Execution Code Vulnerability Found in Fortinet FortiOS and FortiProxy

Enterprotect recommends immediate action to address a critical security flaw found in Fortinet's FortiOS and FortiProxy products. The vulnerability allows an unauthenticated attacker to execute commands on the device and perform a denial-of-service (DoS) attack on the graphical user interface (GUI) through specially crafted HTTP requests. With a CVSS score of 9.3, this vulnerability is highly critical and should be addressed immediately.

In this advisory, we will discuss the technical details of the vulnerability, its significance, and the exposure and risks it poses. We will also provide actionable recommendations to help mitigate the risk.

What is the Threat?

A buffer underflow vulnerability exists in the FortiOS and FortiProxy administrative interface, allowing an unauthenticated remote attacker to execute arbitrary code on the device and/or perform a DoS attack on the GUI via specifically crafted requests. This vulnerability allows a DOS attack on certain hardware. While there is no known instance where this vulnerability was exploited in the wild, it is still important to take swift action to mitigate the risk.

Why is it Noteworthy?

This vulnerability is significant for several reasons. First, it does not require authentication to exploit, meaning that it opens a gateway for malicious actors to gain initial access to corporate networks. Second, this is not the first time Fortinet has experienced a critical security flaw. On February 16, 2023, Fortinet fixed two remote code execute flaws that impacted FortiNAC and FortiWeb products. However, just four days later, a proof-of-concept exploit was made public, and active exploitation began. This shows that attackers are quick to exploit any known vulnerability, making it imperative to act swiftly to protect your systems.

What is the Exposure or Risk?

The vulnerability allows an unauthenticated attacker to execute arbitrary code or perform DoS attacks, which can compromise a system. The following FortiOS versions are vulnerable:

• FortiOS version 7.2.0 through 7.2.3

• FortiOS version 7.0.0 through 7.0.9

• FortiOS version 6.4.0 through 6.4.11

• FortiOS version 6.2.0 through 6.2.12

• FortiOS 6.0 all versions

• FortiProxy version 7.2.0 through 7.2.2

• FortiProxy version 7.0.0 through 7.0.8

• FortiProxy version 2.0.0 through 2.0.11

• FortiProxy 1.2 all versions

• FortiProxy 1.1 all versions
  

What are the Recommendations?

Enterprotect recommends the following actions to limit the impact of an unauthenticated remote code execution attack:

1. Upgrade to the latest version:

   • FortiOS version 7.4.0 or above

   • FortiOS version 7.2.4 or above

   • FortiOS version 7.0.10 or above

   • FortiOS version 6.4.12 or above

   • FortiOS version 6.2.13 or above

   • FortiProxy version 7.2.3 or above

   • FortiProxy version 7.0.9 or above

   • FortiProxy version 2.0.12 or above

   • FortiOS-6K7K version 7.0.10 or above

   • FortiOS-6K7K version 6.4.12 or above

   • FortiOS-6K7K version 6.2.13 or above

2. Workaround to block incoming attacks if you cannot immediately deploy security updates:

   • Disable HTTP/HTTPS administrative interface

   • Limit IP addresses that can reach the administrative interface:

     • config firewall address > edit “my_allowed_addresses” > set subnet <MY IP> <MY SUBNET>

     • end

   • Create an Address Group:

     • config firewall addrgrp > edit “MGMT_IPs” > set member “my_allowed_addresses”

     • end

   • Create the Local in Policy to restrict access only to the predefined group on the management interface (here: port1):

     • config firewall local-in-policy

     • edit 1

     • set intf port1

     • set srcaddr “MGMT_IPs”

     • set dstaddr “all”

     • set action accept

     • set service HTTPS HTTP

     • set schedule “always”

     • set status enable

     • next

     • edit 2

     • set intf “any”

     • set srcaddr “all”

     • set dstaddr “all”

     • set action deny

     • set service HTTPS HTTP

     • set schedule “always”

     • set status enable

     • end

   • If using non-default ports, create an appropriate service object for GUI administrative access:

     • config firewall service custom

     • edit GUI_HTTPS

     • set tcp-portrange <admin-sport>

     • next

     • edit GUI_HTTP

     • set tcp-portrange <admin-port>

     • end

   • Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.

   • When using an HA reserved management interface, the local in policy needs to be configured slightly differently – please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005

Enterprotect recommends immediate action to address this critical security flaw. Upgrading to the latest version of FortiOS and FortiProxy products is the most effective way to address the vulnerability. If you cannot immediately deploy security updates, the workaround we provided can help block incoming attacks. It is important to follow these recommendations to limit the exposure and risks to your systems.

References

For more in-depth information about the recommendations, please visit the following links:

• https://www.fortiguard.com/psirt/FG-IR-23-001

• https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-unauthenticated-rce-vulnerability/

• https://securityonline.info/cve-2023-25610-critical-vulnerability-affects-fortios-fortiproxy/

• https://www.nuspire.com/blog/fortinet-releases-advisory-on-critical-fortios-vulnerability/

If you have any questions, please contact the Enterprotect Security Operations Center. We are always here to help you protect your systems from threats like these.