Wiz Defend is Here: Threat detection and response for cloud

CVE-2023-25610 a critical RCE vulnerability in FortiOS: everything you need to know

CVE-2023-25610 is a critical RCE vulnerability in FortiOS. This vulnerability is a buffer underwrite bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests. Affected customers should patch immediately.

2 minutes read

On March 7, Fortinet published an advisory for CVE-2023-25610, a critical remote code execution (RCE) vulnerability in FortiOS, Fortinet's operating system. This vulnerability is a buffer underwrite bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests.  

It is highly recommended to upgrade FortiOS instances to the patched versions. 

What is CVE-2023-25610? 

The administrative interface for FortiOS and FortiProxy is vulnerable to a buffer underwrite (also known as a "buffer underflow") exploit. A buffer underwrite vulnerability occurs when a program writes data to a buffer (a temporary storage area) with a size that is smaller than the data being written. This can result in the data overwriting adjacent memory locations. 

This vulnerability could potentially allow an unauthenticated attacker to execute arbitrary code remotely on the device or perform a denial-of-service (DoS) attack on the GUI. The attack would involve sending specially crafted requests to the device. 

A proof of concept has been published on March 11, which will increase the likelihood of exploitation of this vulnerability in the wild.  

Wiz Research data: what’s the risk to cloud environments?       

Based on Wiz data, 9% of cloud enterprise environments are susceptible to this vulnerability, and amongst environments using FortiOS, 80% have yet to patch for it. 

This is the third critical vulnerability in FortiOS this year, the previous one being CVE-2022-42475, which was quickly exploited in the wild after its publication, so we should expect this latest vulnerability to be exploited as well. 

Which products are affected? 

  • FortiOS versions 7.2.0 through 7.2.3 

  • FortiOS versions 7.0.0 through 7.0.9 

  • FortiOS versions 6.4.0 through 6.4.11 

  • FortiOS versions 6.2.0 through 6.2.12 

  • FortiOS 6.0 (all versions) 

  • FortiProxy versions 7.2.0 through 7.2.2 

  • FortiProxy versions 7.0.0 through 7.0.8 

  • FortiProxy versions 2.0.0 through 2.0.11 

  • FortiProxy 1.2 (all versions) 

  • FortiProxy 1.1 (all versions) 

According to Fortinet, additional products are also potentially affected by this vulnerability, but an attacker could only achieve denial-of-service (DoS) and not remote code execution (RCE). View the full list of affected products here.     

Which actions should security teams take? 

In order to remediate this issue, please upgrade vulnerable products to the following patched versions: 

  • FortiOS version 7.4.0 or above 

  • FortiOS version 7.2.4 or above 

  • FortiOS version 7.0.10 or above 

  • FortiOS version 6.4.12 or above 

  • FortiOS version 6.2.13 or above 

  • FortiProxy version 7.2.3 or above 

  • FortiProxy version 7.0.9 or above 

  • FortiProxy version 2.0.12 or above 

  • FortiOS-6K7K version 7.0.10 or above 

  • FortiOS-6K7K version 6.4.12 or above

  • FortiOS-6K7K version 6.2.13 or above   

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.

If you are unable to upgrade your vulnerable FortiOS instances, it is possible to use the following workarounds to mitigate the vulnerability: 

  1. Disable the HTTP/HTTPS administrative interface. 

  2. Alternatively, limit IP addresses that can reach the administrative interface, by following these instructions: 

  • First, edit the allowed addresses: 

config firewall address 
edit "my_allowed_addresses" 
set subnet <MY IP> <MY SUBNET> 
end 
  • Then, create an Address Group:  

config firewall addrgrp 
edit "MGMT_IPs" 
set member "my_allowed_addresses" 
end 
  • If using default ports, create the local-in-policy to restrict access only to the predefined group on the management interface (here: port1): 

config firewall local-in-policy 
editset intf port1 
set srcaddr "MGMT_IPs" 
set dstaddr "all" 
set action accept 
set service HTTPS HTTP 
set schedule "always" 
set status enable 
next 
editset intf "any" 
set srcaddr "all" 
set dstaddr "all" 
set action deny 
set service HTTPS HTTP 
set schedule "always" 
set status enable 
end 
  • If using non-default ports, first create an appropriate service object for GUI administrative access: 

config firewall service custom 
edit GUI_HTTPS 
set tcp-portrange <admin-port> 
next 
edit GUI_HTTP 
set tcp-portrange <admin-port> 
end 
  • And then use GUI_HTTPS GUI_HTTP instead of HTTPS HTTP in the previous step. 

References 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management