
Fortinet has patched a critical heap buffer underflow vulnerability affecting FortiOS and FortiProxy, which can lead to arbitrary code execution.
A critical severity issue affects FortiOS & FortiProxy administrative interface, and it allows a remote unauthenticated attacker to execute commands via specifically crafted HTTP requests.
The vulnerability tracked as CVE-2023-25610 with a CVSS score of 9.3, the flaw allows an unauthenticated attacker to execute arbitrary code on the system, caused by a heap buffer underflow in the administrative interface.
As per the Fortinet statement “A buffer underwrite (‘buffer underflow’) vulnerability in FortiOS & FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests,”
The CVE-2023-25610 vulnerability affects the following products:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS version 6.2.0 through 6.2.12
- FortiOS 6.0 all versions
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.8
- FortiProxy version 2.0.0 through 2.0.11
- FortiProxy 1.2 all versions
- FortiProxy 1.1 all versions
To address the flaw, admins should upgrade to FortiOS versions 7.4.0, 7.2.4, 7.0.10, 6.4.12, and 6.2.13, FortiProxy versions 7.2.3, 7.0.9, and 2.0.12, and FortiOS-6K7K versions 7.0.10, 6.4.12, and 6.2.13. Fortinet also provided a workaround on how customers can block incoming attacks even if they cannot immediately deploy security updates.
Admins should disable HTTP/HTTPS administrative interface or limit the IP addresses that can reach the administrative interface using a Local in Policy. Detailed information on how to disable the vulnerable admin interface for FortiOS, and FortiProxy, or limit access per IP address can be found in this Fortinet PSIRT advisory.