On March 7, Fortinet published an advisory for CVE-2023-25610, a critical remote code execution (RCE) vulnerability in FortiOS, Fortinet's operating system. This vulnerability is a buffer underwrite bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests.  

It is highly recommended to upgrade FortiOS instances to the patched versions. 

What is CVE-2023-25610? 

The administrative interface for FortiOS and FortiProxy is vulnerable to a buffer underwrite (also known as a "buffer underflow") exploit. A buffer underwrite vulnerability occurs when a program writes data to a buffer (a temporary storage area) with a size that is smaller than the data being written. This can result in the data overwriting adjacent memory locations. 

This vulnerability could potentially allow an unauthenticated attacker to execute arbitrary code remotely on the device or perform a denial-of-service (DoS) attack on the GUI. The attack would involve sending specially crafted requests to the device. 

A proof of concept has been published on March 11, which will increase the likelihood of exploitation of this vulnerability in the wild.  

Wiz Research data: what’s the risk to cloud environments?       

Based on Wiz data, 9% of cloud enterprise environments are susceptible to this vulnerability, and amongst environments using FortiOS, 80% have yet to patch for it. 

This is the third critical vulnerability in FortiOS this year, the previous one being CVE-2022-42475, which was quickly exploited in the wild after its publication, so we should expect this latest vulnerability to be exploited as well. 

Which products are affected? 

• FortiOS versions 7.2.0 through 7.2.3 

• FortiOS versions 7.0.0 through 7.0.9 

• FortiOS versions 6.4.0 through 6.4.11 

• FortiOS versions 6.2.0 through 6.2.12 

• FortiOS 6.0 (all versions) 

• FortiProxy versions 7.2.0 through 7.2.2 

• FortiProxy versions 7.0.0 through 7.0.8 

• FortiProxy versions 2.0.0 through 2.0.11 

• FortiProxy 1.2 (all versions) 

• FortiProxy 1.1 (all versions) 

According to Fortinet, additional products are also potentially affected by this vulnerability, but an attacker could only achieve denial-of-service (DoS) and not remote code execution (RCE). View the full list of affected products here.     

Which actions should security teams take? 

In order to remediate this issue, please upgrade vulnerable products to the following patched versions: 

• FortiOS version 7.4.0 or above 

• FortiOS version 7.2.4 or above 

• FortiOS version 7.0.10 or above 

• FortiOS version 6.4.12 or above 

• FortiOS version 6.2.13 or above 

• FortiProxy version 7.2.3 or above 

• FortiProxy version 7.0.9 or above 

• FortiProxy version 2.0.12 or above 

• FortiOS-6K7K version 7.0.10 or above 

• FortiOS-6K7K version 6.4.12 or above

• FortiOS-6K7K version 6.2.13 or above   

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.

If you are unable to upgrade your vulnerable FortiOS instances, it is possible to use the following workarounds to mitigate the vulnerability: 

1. Disable the HTTP/HTTPS administrative interface. 

2. Alternatively, limit IP addresses that can reach the administrative interface, by following these instructions: 

• First, edit the allowed addresses: 

• Then, create an Address Group:  

• If using default ports, create the local-in-policy to restrict access only to the predefined group on the management interface (here: port1): 

• If using non-default ports, first create an appropriate service object for GUI administrative access: 

• And then use GUI_HTTPS GUI_HTTP instead of HTTPS HTTP in the previous step. 

References 

• Fortinet's advisory