Fortinet has released a patch to address two vulnerabilities impacting FortiOS and FortiProxy. Tracked as CVE-2023-42789 & CVE-2023-42790, the vulnerabilities are given a critical severity rating with a CVSS score of 9.3. Successful exploitation of the vulnerabilities may allow an attacker to execute unauthorized code.
The brain of Fortinet Security Fabric is its network operating system, FortiOS. The Security Fabric’s operating system, or software, connects all its parts and ensures tight integration throughout the deployment of the Security Fabric across an enterprise.
FortiProxy is a secure web proxy that protects employees against internet-borne attacks using several detection methods like web filtering, DNS filtering, data loss prevention, antivirus, intrusion prevention, and sophisticated threat protection.
Vulnerability Details
An out-of-bounds write, and a Stack-based Buffer Overflow in FortiOS & FortiProxy captive portal may allow an inside attacker with access to the captive portal to execute arbitrary code or commands via specially crafted HTTP requests.
Affected Versions
- FortiOS version 7.4.0 through 7.4.1
- FortiOS version 7.2.0 through 7.2.5
- FortiOS version 7.0.0 through 7.0.12
- FortiOS version 6.4.0 through 6.4.14
- FortiOS version 6.2.0 through 6.2.15
- FortiProxy version 7.4.0
- FortiProxy version 7.2.0 through 7.2.6
- FortiProxy version 7.0.0 through 7.0.12
- FortiProxy version 2.0.0 through 2.0.13
Mitigation
Customers should upgrade to the following versions to patch the vulnerability:
- FortiOS version 7.4.2 or above
- FortiOS version 7.2.6 or above
- FortiOS version 7.0.13 or above
- FortiOS version 6.4.15 or above
- FortiOS version 6.2.16 or above
- FortiProxy version 7.4.1 or above
- FortiProxy version 7.2.7 or above
- FortiProxy version 7.0.13 or above
- FortiProxy version 2.0.14 or above
Fortinet in Q3/23 has remediated this issue in FortiSASE version 23.3.b; hence, the customers need not perform any action.
Virtual Patch named “FortiOS.Captive.Portal.Out.Of.Bounds.Write.” is available in FMWP db update 23.105.
Please refer to the Fortinet PSIRT Advisory (FG-IR-23-328) for more information.
Workaround
Set a non-form-based authentication scheme:
config authentication scheme
edit scheme
set method method
next
end
Where <method> can be any of those:
ntml NTLM authentication.
basic Basic HTTP authentication.
digest Digest HTTP authentication.
negotiate Negotiate authentication.
fsso Fortinet Single Sign-On (FSSO) authentication.
rsso RADIUS Single Sign-On (RSSO) authentication.
ssh-publickey Public key based SSH authentication.
cert Client certificate authentication.
saml SAML authentication
Qualys Detection
Qualys customers can scan their devices with QID 44176 to detect vulnerable FortiOS instances.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.