Fortinet plugs critical RCE hole in FortiOS, FortiProxy (CVE-2023-25610)

Fortinet has patched 15 vulnerabilities in a variety of its products, including CVE-2023-25610, a critical flaw affecting devices running FortiOS and FortiProxy.

CVE-2023-25610

None of the patched vulnerabilities is actively exploited, but Fortinet’s devices are often targeted by ransomware gangs and other cyber attackers, so implementing the offered security updates quickly is advised.

About CVE-2023-25610

Discovered by Fortinet infosec engineer Kai Ni, CVE-2023-25610 is a buffer underwrite (‘buffer underflow’) vulnerability found in the FortiOS and FortiProxy administrative interface.

Linux-based FortiOS powers many Fortinet’s products, including its FortiGate firewalls and various switches. FortiProxy is a secure web proxy that protects users against internet-borne attacks.

CVE-2023-25610 can be expoited without prior authentication by remote attackers by sending specially crafted requests. Depending on the targeted device, this may result in either a denial of service (DoS) on its GUI or may allow the attacker to execute arbitrary code on the device.

The flaw affects:

  • FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9, 6.4.0 through 6.4.11, 6.2.0 through 6.2.12, and FortiOS 6.0 (all versions)
  • FortiProxy version 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 2.0.0 through 2.0.11, 1.2 (all versions), and 1.1 (all versions)

Some hardware devices running a vulnerable FortiOS version are only impacted by the the DoS part of the issue, and those are listed in the security advisory.

Fixes and mitigations

As always, patching vulnerabilities is the preferred option, and this can be done by upgrading to:

  • FortiOS version 7.4.0 or above, 7.2.4 or above, 7.0.10 or above, 6.4.12 or above, or 6.2.13 or above
  • FortiProxy version 7.2.3 or above, 7.0.9 or above, or 2.0.12 or above
  • FortiOS-6K7K version 7.0.10 or above, 6.4.12 or above, or 6.2.13 or above

If upgrading FortiOS is impossible at this time, there are possible temporary workarounds, and the include disabling the HTTP/HTTPS administrative interface or limit IP addresses that can reach it.

Don't miss