FortiOS and FortiProxy Heap Buffer Underflow Vulnerability (CVE-2023-25610)

Fortinet has released a security update to fix a heap buffer underflow vulnerability in its products such as FortiOS and FortiProxy. CVE-2023-25610 has been rated as critical with a CVSSv3 score of 9.3. On successful exploitation, the vulnerability can allow an unauthenticated, remote attacker to execute arbitrary code on the target system and/or perform a DoS on the GUI. 
 
The vulnerability was internally discovered and reported to Fortinet. Fortinet mentioned in the advisory that they are unaware of any instance related to exploiting this vulnerability in the wild.  
 
The Fortinet Security Fabric’s brain is its network operating system; FortiOS. The Security Fabric’s operating system, or software, connects all its parts and ensures tight integration throughout the deployment of the Security Fabric across an enterprise.  
  
FortiProxy is a secure web proxy that protects employees against internet-borne attacks using several detection methods like web filtering, DNS filtering, data loss prevention, antivirus, intrusion prevention, and sophisticated threat protection. 

Fortinet patched critical vulnerabilities last year:

  • CVE-2022-42475: Pre-authentication Remote Code Execution Vulnerability in FortiOS SSL-VPN
  • CVE-2022-40684: FortiOS, FortyProxy, and FortiSwitch Manager Authentication Bypass Vulnerability
Description

The buffer underflow vulnerability exists in FortiOS & FortiProxy administrative interface. The vulnerability may allow an unauthenticated, remote attacker to execute arbitrary code on the device and/or perform a DoS on the GUI by sending specifically crafted requests. 
 
A buffer underflow or buffer underwrite vulnerability can result in a denial-of-service attack via resource exhaustion. The vulnerability occurs when a buffer communicates between two devices, processes data, or is fed data at a lower speed than it is being read from. 

Affected Versions
  • FortiOS version 7.2.0 through 7.2.3 
  • FortiOS version 7.0.0 through 7.0.9 
  • FortiOS version 6.4.0 through 6.4.11 
  • FortiOS version 6.2.0 through 6.2.12 
  • FortiOS 6.0, all versions 
  • FortiProxy version 7.2.0 through 7.2.2 
  • FortiProxy version 7.0.0 through 7.0.8 
  • FortiProxy version 2.0.0 through 2.0.11 
  • FortiProxy 1.2, all versions 
  • FortiProxy 1.1, all versions 

Note: The advisory listed 50 model versions only impacted by the DoS part of the issue, not by the arbitrary code execution.

Mitigation

Customers should upgrade to the following versions to patch the vulnerability:

  • FortiOS version 7.4.0 or above 
  • FortiOS version 7.2.4 or above 
  • FortiOS version 7.0.10 or above 
  • FortiOS version 6.4.12 or above 
  • FortiOS version 6.2.13 or above 
  • FortiProxy version 7.2.3 or above 
  • FortiProxy version 7.0.9 or above 
  • FortiProxy version 2.0.12 or above 
  • FortiOS-6K7K version 7.0.10 or above 
  • FortiOS-6K7K version 6.4.12 or above 
  • FortiOS-6K7K version 6.2.13 or above

Please refer to the Fortinet PSIRT Advisory (FG-IR-23-001) for more information. 

Workaround for FortiOS:

Disable HTTP/HTTPS administrative interface 
OR 
Limit IP addresses that can reach the administrative interface: 
  
config firewall address
edit “my_allowed_addresses”
set subnet <MY IP> <MY SUBNET>
end

 
Then create an Address Group: 
  
config firewall addrgrp
edit “MGMT_IPs”
set member “my_allowed_addresses”
end

 
Create the Local in Policy to restrict access only to the predefined group on the management interface (here: port1): 
  
config firewall local-in-policy
edit 1
set intf port1
set srcaddr “MGMT_IPs”
set dstaddr “all”
set action accept
set service HTTPS HTTP
set schedule “always”
set status enable
next
edit 2
set intf “any”
set srcaddr “all”
set dstaddr “all”
set action deny
set service HTTPS HTTP
set schedule “always”
set status enable
end

If using non-default ports, create an appropriate service object for GUI administrative access: 
  
config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
end

EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)

With Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now, these security controls are not recommended by any industry standards such as CIS, DISA-STIG. 

Qualys Policy Compliance team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability.

A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. Source

The following Qualys Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) have been updated to support Vendor recommended mitigation(s) for FortiOS 6.x and 7.x:

Policy Compliance Control IDs (CIDs): 

  • 24976 Status of the firewall local-in-policy 
  • 15425 Status of the Administrative access port for HTTPS set on the FortiGate unit 
  • 14572 Status of services configured in Interface Mgmt profile for all Interfaces 
Qualys Detection

Qualys customers can scan their devices with QID 43990 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References 
https://www.fortiguard.com/psirt/FG-IR-23-001

Leave a Reply

Your email address will not be published. Required fields are marked *