CVE-2023-25610: Critical vulnerability affects FortiOS/FortiProxy

Fortinet on Tuesday informed customers about 15 vulnerabilities discovered in the company’s products, including a flaw that has been assigned a ‘critical’ severity rating.

A critical severity issue affects FortiOS & FortiProxy administrative interface and it allows a remote unauthenticated attacker to execute commands via specifically crafted HTTP requests. Tracked as CVE-2023-25610 (CVSS score of 9.3), the flaw allows an unauthenticated attacker to execute arbitrary code on the system, caused by a heap buffer underflow in the administrative interface.

“A buffer underwrite (‘buffer underflow’) vulnerability in FortiOS & FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests,” Fortinet wrote.

The CVE-2023-25610 vulnerability affects the following products:

• FortiOS version 7.2.0 through 7.2.3
• FortiOS version 7.0.0 through 7.0.9
• FortiOS version 6.4.0 through 6.4.11
• FortiOS version 6.2.0 through 6.2.12
• FortiOS 6.0 all versions
• FortiProxy version 7.2.0 through 7.2.2
• FortiProxy version 7.0.0 through 7.0.8
• FortiProxy version 2.0.0 through 2.0.11
• FortiProxy 1.2 all versions
• FortiProxy 1.1 all versions

To address the flaw, admins should upgrade to FortiOS versions 7.4.0, 7.2.4, 7.0.10, 6.4.12, and 6.2.13, FortiProxy versions 7.2.3, 7.0.9, and 2.0.12, and FortiOS-6K7K versions 7.0.10, 6.4.12, and 6.2.13. Fortinet also provided a workaround on how customers can block incoming attacks even if they cannot immediately deploy security updates.

Admins should disable HTTP/HTTPS administrative interface or limit the IP addresses that can reach the administrative interface using a Local in Policy. Detailed information on how to disable the vulnerable admin interface for FortiOS, and FortiProxy, or limit access per IP address can be found in this Fortinet PSIRT advisory.