Fortinet Addresses Critical Vulnerabilities in FortiOS, FortiProxy, and FortiClientEMS
March 13, 2024
This week, Fortinet, a leading cybersecurity solutions provider, announced the release of security updates aimed at fixing critical code execution vulnerabilities in several of its products, notably FortiOS, FortiProxy, and FortiClientEMS.
The first vulnerability addressed is an out-of-bounds write issue, identified as CVE-2023-42789, with a CVSS score of 9.3. This flaw could potentially be exploited by an attacker to execute unauthorized code or commands. The attacker would achieve this by sending specially crafted HTTP requests to devices that are vulnerable. The affected versions include Fortinet FortiOS 7.4.0 to 7.4.1, 7.2.0 to 7.2.5, 7.0.0 to 7.0.12, 6.4.0 to 6.4.14, 6.2.0 to 6.2.15, and FortiProxy 7.4.0, 7.2.0 to 7.2.6, 7.0.0 to 7.0.12, 2.0.0 to 2.0.13.
In addition to this, Fortinet has also resolved a high-severity stack-based buffer overflow vulnerability, designated as CVE-2023-42790, with a CVSS score of 8.1. Similar to the first flaw, this vulnerability could be exploited by an attacker to execute unauthorized code or commands through specifically crafted HTTP requests. The affected versions are the same as those impacted by the first vulnerability. Both vulnerabilities were discovered by Gwendal Guégniaud of the Fortinet Product Security Team.
Furthermore, Fortinet has addressed a critical pervasive SQL injection issue, tracked as CVE-2023-48788, with a CVSS score of 9.3, in the DAS component. The advisory states, 'An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.' The affected versions and the release that addressed this flaw are listed in the advisory. This flaw was reported by Thiago Santana from the ForticlientEMS development team and the UK NCSC.
As of now, Fortinet has not reported any instances of these vulnerabilities being exploited in the wild.
Latest News
- Microsoft's March 2024 Patch Tuesday Addresses 60 Vulnerabilities, Including 18 RCE Bugs
- CISA Systems Compromised Through Ivanti Vulnerabilities, Prompting System Shutdown
- Magnet Goblin Exploits 1-Day Vulnerabilities with New Linux Variant of NerbianRAT Malware
- BianLian Threat Actors Utilize JetBrains TeamCity Vulnerabilities in Ransomware Assaults
- US CISA Systems Breached: Cybersecurity Measures Under Review
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.