CVE-2023-33308: 
FortiOS vulnerability analysis and mitigation

A critical stack-based overflow vulnerability (CVE-2023-33308) was discovered in Fortinet FortiOS and FortiProxy. The vulnerability affects FortiOS versions 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3, as well as FortiProxy versions 7.0.0 through 7.0.9 and 7.2.0 through 7.2.2. This vulnerability was initially disclosed on July 11, 2023, and received a CVSS v3.1 score of 9.8, indicating critical severity (Fortinet Advisory, NVD).

The vulnerability is a stack-based buffer overflow (CWE-121) that occurs in proxy policies or firewall policies with proxy mode when SSL deep packet inspection is enabled. The flaw specifically relates to HTTP/2 support in SSL inspection profiles. A remote unauthenticated attacker could potentially exploit this vulnerability by sending specially crafted packets to systems with proxy policies or firewall policies configured in proxy mode alongside deep or full packet inspection (Fortinet Advisory).

If successfully exploited, this vulnerability allows an unauthenticated remote attacker to execute arbitrary code or commands on the affected system. Given the critical nature of FortiOS and FortiProxy in network security infrastructure, successful exploitation could lead to complete system compromise and potential access to the protected network (Arctic Wolf, Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Organizations are advised to upgrade to FortiOS version 7.4.0 or above, 7.2.4 or above, or 7.0.11 or above, and FortiProxy version 7.4.0, 7.2.3, or 7.0.10 or above. As a temporary workaround, organizations can disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode (Fortinet Advisory).

The issue was initially resolved as a bug without a corresponding PSIRT Advisory. Fortinet acknowledged Watchtowr for bringing this omission to their attention, leading to the formal security advisory (Fortinet Advisory).