Fortinet security update includes critical vulnerability patch

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity level: Critical (CVE-2023-25160 – CVSSv3 score: 9.3) – Compromise may result in the loss of confidentiality and integrity of data in the first instance.

Fortinet has released a security update which addressed 15 vulnerabilities, one of which has been classified as critical. CVE-2023-25160 has received a CVSSv3 severity score of 9.3 out of 10 and has been detected to impact FortiOS and FortiProxy. The security flaw pertains to a buffer underwrite in which a programme tries to read more data from a memory buffer than is available, resulting in accessing adjacent memory locations, leading to risky behaviour or crashes.

Impact

CVE-2023-25160 is a buffer underwrite vulnerability in the FortiOS and FortiProxy administrative interface. Successful exploitation of this security flaw could allow a remote unauthenticated threat actor to execute arbitrary code on the device and perform a denial-of-service (DoS) attack on the GUI, via specifically crafted requests.

Vulnerability Detection

Fortinet has released patches pertaining to the vulnerabilities for the respective product versions. As such, previous versions are vulnerable to the potential exploits.

Affected Products

The following versions of FortiOS and FortiProxy are affected by CVE-2023-25160:

– FortiOS: versions 7.2.0 – 7.2.3
– FortiOS: versions 7.0.0 – 7.0.9
– FortiOS: versions 6.4.0 – 6.4.11
– FortiOS: versions 6.2.0 – 6.2.12
– FortiOS 6.0: all versions
– FortiProxy: versions 7.2.0 – 7.2.2
– FortiProxy: versions 7.0.0 – 7.0.8
– FortiProxy: versions 2.0.0 – 2.0.11
– FortiProxy 1.2: all versions
– FortiProxy 1.1: all versions

Containment, Mitigations & Remediations

Fortinet has reported that they are not aware of any active exploitation attempts against the reported vulnerability. However, provided that prior Fortinet security flaws in software have been actively exploited in the wild, it is strongly recommended that users apply the relevant patches as soon as possible.

Fortinet has also reported that fifty device models, listed in their security release, are impacted by the DoS aspect of CVE-2023-25160 but are not impacted by the arbitrary code execution component.

Remediations are available for the following Fortinet product versions:

– FortiOS: versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0
– FortiOS-6K7K: versions 6.2.13, 6.4.12, and 7.0.10
– FortiProxy: versions 2.0.12, 7.0.9, and 7.0.9

For users who are unable to immediately apply the released patches, the FortiGuard Advisory includes a workaround, which involves disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

The current disclosure has been released just weeks following remediations being issued for 40 vulnerabilities, two of which were classified as critical, impacting FortiNAC (CVE-2022-39952) and FortiWeb (CVE-2021-42756) products.

Fortinet has a significant proportion of the networking hardware market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for. As a result, networking hardware products are a prime target for threat actors. Due to the fact that Fortinet products have become an integral aspect of personal and business affairs, threat actors will continue to exploit vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:

TA0002 – Execution

Technique – Lateral Movement:

T1210 – Exploitation of Remote Services

Technique – Impact:

T1498 – Network Denial of Service

Further Information

Hacker News Article
Bleeping Computer Article
FortiGuard Advisory