CVE-2023-33306: 
FortiOS vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2023-33306) was discovered in Fortinet's SSL-VPN component, affecting FortiOS versions before 7.2.5, 7.0.11, and 6.4.13, as well as FortiProxy before versions 7.2.4 and 7.0.10. The vulnerability was initially published on June 16, 2023, and was reported by Aliz Hammond of watchTowr and NimdaKey of 360 Noah Lab (Fortinet Advisory).

The vulnerability is classified as a NULL pointer dereference (CWE-476) that can be triggered through specifically crafted requests in the bookmark parameter of the SSL-VPN service. The severity is rated as Medium with a CVSS v3.1 base score of 6.5, indicating significant potential impact (NVD).

When successfully exploited, this vulnerability can lead to a denial of service condition specifically affecting the SSL-VPN service. The impact is limited to service availability, with no reported effects on confidentiality or integrity (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiOS version 7.4.0 or above, FortiOS version 7.2.5 or above, FortiOS version 7.0.11 or above, FortiOS version 6.4.13 or above, FortiProxy version 7.2.4 or above, or FortiProxy version 7.0.10 or above (Fortinet Advisory).