Critical Remote Code Execution Vulnerability Detected in Fortinet’s FortiOS and FortiProxy Devices

July 12, 2023

Fortinet, a leading cybersecurity solutions provider, has reported a critical severity flaw in its FortiOS and FortiProxy devices. This vulnerability, identified as CVE-2023-33308, could potentially allow a remote attacker to execute arbitrary code on the affected devices. The flaw was unearthed by cybersecurity firm Watchtowr and has been rated as 'critical' with a CVS v3 score of 9.8 out of 10.0.

According to the advisory issued by Fortinet, the vulnerability is a stack-based overflow flaw (CWE-124) present in FortiOS & FortiProxy. This could potentially allow a remote attacker to execute arbitrary code or command via specially crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. A stack-based overflow is a type of security issue that occurs when a program writes more data to a buffer located on the stack (memory region) than what is allocated for the buffer, causing the data to overflow to adjacent memory locations.

Attackers can exploit these types of vulnerabilities by sending specially crafted input that exceeds the buffer's capacity, overwriting critical memory parameters related to functions, and thereby achieving malicious code execution. The flaw affects several versions of FortiOS. However, Fortinet has clarified that the issue was resolved in a previous release without a corresponding advisory, so it does not impact the latest release branch, FortiOS 7.4.

Fixes for CVE-2023-33308 have been provided in various versions. The Fortinet advisory has clarified that FortiOS products from the 6.0, 6.2, 6.4, 2.x, and 1.x release branches are not impacted by CVE-2023-33308. The Cybersecurity and Infrastructure Security Agency (CISA) has also published an alert about the vulnerability, urging affected organizations to apply the available security update.

If administrators are unable to apply the new firmware immediately, Fortinet suggests disabling HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode as a temporary workaround. Fortinet has provided an example of a custom-deep-inspection profile that disabled HTTP/2 support.

Another FortiOS buffer overflow vulnerability, tracked as CVE-2023-27997, has recently underscored the issue of patch lag. Offensive security solutions firm Bishop Fox reported finding 335,900 vulnerable FortiGate firewalls exposed on the internet, a whole month after the vendor made a fix available for the actively exploited bug.

Threat actors are always on the lookout for critical-severity flaws impacting Fortinet products, especially those that require no authentication to exploit, as they offer an easy route to gain initial access to valuable corporate networks. Therefore, users and administrators of products running FortiOS are strongly advised to check their software release and ensure that they're running a safe version.

Related News

• Critical Remote Code Execution Bug Leaves Over 300,000 Fortinet Firewalls Vulnerable
• Fortinet's FortiNAC Vulnerability Could Lead to Arbitrary Code Execution Attacks
• Fortinet Warns of Potential Exploitation of New FortiOS RCE Vulnerability
• Fortinet Addresses Critical RCE Vulnerability in Fortigate SSL-VPN Devices

Latest News

• Critical Remote Code Execution Vulnerability Discovered in Ghostscript PDF Library
• SAP Addresses Critical Flaw in ECC and S/4HANA Products with New Security Patches
• Microsoft Reveals Unpatched Office Zero-Day Exploited During NATO Summit
• Microsoft's July 2023 Patch Tuesday Addresses 132 Vulnerabilities, Including 6 Zero-Days
• Apple's Emergency Security Updates Disrupt Web Browsing on Some Sites