Fortinet has disclosed a critical severity flaw affecting FortiOS and FortiProxy, allowing a remote attacker to execute arbitrary code on vulnerable devices.
The flaw, discovered by cybersecurity firm Watchtowr, is identified as CVE-2023-33308 and received a CVS v3 rating of 9.8 out of 10.0, calling it “critical”.
“A stack-based overflow vulnerability [CWE-124] in FortiOS and FortiProxy may allow a remote attacker to execute arbitrary code or command through specially crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection,” warns Fortinet in a new notice.
A stack-based overflow is a security issue that occurs when a program writes more data to a buffer on the stack (memory region) than is allocated for the buffer, resulting in a data overflow to adjacent memory locations.
An attacker can exploit these types of flaws by sending a specially crafted input that exceeds the capacity of the buffer to overwrite function-related critical memory parameters, thereby achieving execution of malicious code.
The flaw impacts the following FortiOS versions:
- FortiOS versions 7.2.0 to 7.2.3
- FortiOS versions 7.0.0 to 7.0.10
- FortiProxy version 7.2.0 to 7.2.2
- FortiProxy version 7.0.0 to 7.0.9
Fortinet clarified that the issue was resolved in a previous release without a corresponding notice, so it does not affect the latest branch release, FortiOS 7.4.
Fixes for CVE-2023-33308 have been provided in the following versions:
- FortiOS version 7.2.4 or higher
- FortiOS version 7.0.11 or higher
- FortiProxy version 7.2.3 or higher
- FortiProxy version 7.0.10 or higher
THE Fortinet Consulting clarified that FortiOS products in version branches 6.0, 6.2, 6.4, 2.x, and 1.x are not affected by CVE-2023-33308.
CISA has also posted an alert about the vulnerability, urging affected organizations to apply the available security update.
If admins can’t apply the new firmware immediately, Fortinet says you can disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode as a workaround.
Fortinet provided the following example of a custom deep inspection profile that disabled HTTP/2 support:
config firewall ssl-ssh-profile edit "custom-deep-inspection" set supported-alpn http1-1 next end
Fortinet Patch Lag
Another FortiOS buffer overflow vulnerability tracked as CVE-2023-27997 recently exposed the patch lag issue.
Offensive security solutions company Bishop Fox reported finding 335,900 vulnerable FortiGate firewalls exposed on the Internet, a whole month after the seller made available a patch for the actively exploited bug.
Threat actors are always on the lookout for critical-severity flaws in Fortinet products, especially those that don’t require authentication to exploit, as they provide an easy way to gain initial access to valuable corporate networks.
That said, users and administrators of products running FortiOS are advised to version check their software and ensure they are running a safe version.