On March 7, Fortinet published an advisory for CVE-2023-25610, a critical remote code execution (RCE) vulnerability in FortiOS, Fortinet's operating system. This vulnerability is a buffer underwrite bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests.
It is highly recommended to upgrade FortiOS instances to the patched versions.
What is CVE-2023-25610?
The administrative interface for FortiOS and FortiProxy is vulnerable to a buffer underwrite (also known as a "buffer underflow") exploit. A buffer underwrite vulnerability occurs when a program writes data to a buffer (a temporary storage area) with a size that is smaller than the data being written. This can result in the data overwriting adjacent memory locations.
This vulnerability could potentially allow an unauthenticated attacker to execute arbitrary code remotely on the device or perform a denial-of-service (DoS) attack on the GUI. The attack would involve sending specially crafted requests to the device.
A proof of concept has been published on March 11, which will increase the likelihood of exploitation of this vulnerability in the wild.
Wiz Research data: what’s the risk to cloud environments?
Based on Wiz data, 9% of cloud enterprise environments are susceptible to this vulnerability, and amongst environments using FortiOS, 80% have yet to patch for it.
This is the third critical vulnerability in FortiOS this year, the previous one being CVE-2022-42475, which was quickly exploited in the wild after its publication, so we should expect this latest vulnerability to be exploited as well.
Which products are affected?
FortiOS versions 7.2.0 through 7.2.3
FortiOS versions 7.0.0 through 7.0.9
FortiOS versions 6.4.0 through 6.4.11
FortiOS versions 6.2.0 through 6.2.12
FortiOS 6.0 (all versions)
FortiProxy versions 7.2.0 through 7.2.2
FortiProxy versions 7.0.0 through 7.0.8
FortiProxy versions 2.0.0 through 2.0.11
FortiProxy 1.2 (all versions)
FortiProxy 1.1 (all versions)
According to Fortinet, additional products are also potentially affected by this vulnerability, but an attacker could only achieve denial-of-service (DoS) and not remote code execution (RCE). View the full list of affected products here.
Which actions should security teams take?
In order to remediate this issue, please upgrade vulnerable products to the following patched versions:
FortiOS version 7.4.0 or above
FortiOS version 7.2.4 or above
FortiOS version 7.0.10 or above
FortiOS version 6.4.12 or above
FortiOS version 6.2.13 or above
FortiProxy version 7.2.3 or above
FortiProxy version 7.0.9 or above
FortiProxy version 2.0.12 or above
FortiOS-6K7K version 7.0.10 or above
FortiOS-6K7K version 6.4.12 or above
FortiOS-6K7K version 6.2.13 or above
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.
If you are unable to upgrade your vulnerable FortiOS instances, it is possible to use the following workarounds to mitigate the vulnerability:
Disable the HTTP/HTTPS administrative interface.
Alternatively, limit IP addresses that can reach the administrative interface, by following these instructions:
First, edit the allowed addresses:
config firewall address edit "my_allowed_addresses" set subnet <MY IP> <MY SUBNET> end
Then, create an Address Group:
config firewall addrgrp edit "MGMT_IPs" set member "my_allowed_addresses" end
If using default ports, create the local-in-policy to restrict access only to the predefined group on the management interface (here: port1):
config firewall local-in-policy edit 1 set intf port1 set srcaddr "MGMT_IPs" set dstaddr "all" set action accept set service HTTPS HTTP set schedule "always" set status enable next edit 2 set intf "any" set srcaddr "all" set dstaddr "all" set action deny set service HTTPS HTTP set schedule "always" set status enable end
If using non-default ports, first create an appropriate service object for GUI administrative access:
config firewall service custom edit GUI_HTTPS set tcp-portrange <admin-port> next edit GUI_HTTP set tcp-portrange <admin-port> end
And then use
GUI_HTTPS GUI_HTTPinstead of
HTTPS HTTPin the previous step.