Most of you have already read about the latest release of Fortinet’s new PSIRT advisories. There are 15 new vulnerabilities for FortiOS and other products with severity level from low up to critical.
We strongly recommend that you checkt the PSIRT advisories and update your Fortinet products to one of the patched firmware versions as soon as possible!
We want to highlight one vulnerability in particular, as it occurs on FortiGates and has a CVSSv3 score of 9.3:
FortiOS / FortiProxy – Heap buffer underflow in administrative interface (FG-IR-23-001 / CVE-2023-25610)
Even though Fortinet stated that they are not aware that especially the critical vulnerability FG-IR-23-001(CVE-2023-25610) has been exploited in the wild, we from the BOLL Engineering Team have successfully attacked a FortiGate with a vulnerable firmware version in our lab. Therefore we assume that we will see exploits in the wild very soon. For confidentiality reasons, we will not publish or share the attack vector.
A workaround for vulnerabilities related to the WebUI is to use local-in policies to restrict public access to a few known public IPs. Please check the PSIRT article or the admin guide for further details.
The trusted-hosts configuration does not behave the same in all releases. In certain releases, the WebUI is not displayed when a request is made outside the range of trusted hosts. Some releases show the web page anyway, but a login is not possible. In this case, the FortiGate is not protected against this vulnerability despite the trusted-hosts.