New Fortinet Vulnerabilities (March 2023)

Most of you have already read about the latest release of Fortinet’s new PSIRT advisories. There are 15 new vulnerabilities for FortiOS and other products with severity level from low up to critical.

We strongly recommend that you checkt the PSIRT advisories and update your Fortinet products to one of the patched firmware versions as soon as possible!


We want to highlight one vulnerability in particular, as it occurs on FortiGates and has a CVSSv3 score of 9.3:

FortiOS / FortiProxy – Heap buffer underflow in administrative interface (FG-IR-23-001 / CVE-2023-25610)

Even though Fortinet stated that they are not aware that especially the critical vulnerability FG-IR-23-001(CVE-2023-25610) has been exploited in the wild, we from the BOLL Engineering Team have successfully attacked a FortiGate with a vulnerable firmware version in our lab. Therefore we assume that we will see exploits in the wild very soon. For confidentiality reasons, we will not publish or share the attack vector.

A workaround for vulnerabilities related to the WebUI is to use local-in policies to restrict public access to a few known public IPs. Please check the PSIRT article or the admin guide for further details.

The trusted-hosts configuration does not behave the same in all releases. In certain releases, the WebUI is not displayed when a request is made outside the range of trusted hosts. Some releases show the web page anyway, but a login is not possible. In this case, the FortiGate is not protected against this vulnerability despite the trusted-hosts.

Loading

2 thoughts on “New Fortinet Vulnerabilities (March 2023)

  1. Roberto Taccon Reply

    Hello team,

    about what you indicated below

    The trusted-hosts configuration does not behave the same in all releases. In certain releases, the WebUI is not displayed when a request is made outside the range of trusted hosts. Some releases show the web page anyway, but a login is not possible. In this case, the FortiGate is not protected against this vulnerability despite the trusted-hosts.

    please can you clarify in which versions it doesn’t work ?

    • sy Post authorReply

      Dear Roberto,

      we know for sure that a DoS attack is possible with 7.2.0-7.2.3 even when you do not have a trusted ip address.
      With the other releases we are not 100% sure, because we have not managed to bring the firewall to its knees permanently with our skript yet. However, we cannot conclude from this that it is not possible in another way with the earlier releases.

Leave a Reply

Your email address will not be published. Required fields are marked *