Written by Eric Dodge and Harish Segar of the Kudelski Security Threat Detection & Research Team
Summary
Fortinet recently disclosed a critical buffer overflow impacting different versions of FortiOS and FortiProxy, which can lead to an attacker being able to perform arbitrary remote code execution (RCE) on impacted devices. The vulnerability is being tracked as CVE-2023-33308, with a 9.8 severity. Patching of the impacted systems is recommended as soon as possible, or the usage of a workaround done via disabling HTTP/2 support where applicable.
Threat actors are eager to use remote code execution flaws impacting Fortinet products, especially those that require no authentication to exploit, as they provide an easy way to gain initial access to lots of corporate environments.
Affected Applications
Per Fortinet’s advisory, the following are the affected versions of FortiOS and FortiProxy and the relevant fixed versions:
| Product | Affected Versions | Fixed versions |
|---|---|---|
| FortiOS | 7.2.0 through 7.2.3 | 7.2.4 or above, 7.4.0 or above |
| FortiOS | 7.0.0 through 7.0.10 | 7.0.11 or above |
| FortiProxy | 7.2.0 through 7.2.2 | 7.2.3 or above |
| FortiProxy | 7.0.0 through 7.0.9 | 7.0.10 or above |
Technical Details
This exploitation, when properly executed, allows a remote attacked to execute arbitrary code and commands. This is done via specially created packets aimed at the proxy and/or firewall policies that are set with the proxy mode and alongside SSL deep packet inspection. The vulnerability is an exploitation of a buffer underwrite, or buffer underflow, in which data is written to an index or pointer that references a memory location that is before the beginning of the buffer. This can be done via pointer arithmetic’s end in a position before the valid memory location, or can also be achieved with the usage of a negative index.
Solution
- Kudelski Security recommends identifying, validating, and implementing a security update for any affected systems as soon as possible. Administrators should move fast and implement the patch as soon as possible. If the update isn’t available in the device’s dashboard, rebooting the appliance it may make it available. If not, manual download and installation is advised.
- Fortigate users can check if their devices are vulnerable by using the following command on the CLI and comparing with the version table above:
diagnose sys fortiguard-service status
- Users can also use external tools such as Nmap or Shodan to scan their devices for open ports related to SSL VPN (such as 443 or 10443) and check the banner information for the FortiOS version number.
- For clients using Nessus/Tenable, the plugin ID 178148 can be used to identify whether a system is patched for CVE-2023-33308. In addition, plugin ID 73522 can be used to identify Fortinet devices in your network.
Temporary workarounds and mitigations
There is a workaround that can be done while waiting on full patching. The workaround revolves around disabling HTTP/2 support on any SSL inspection profiles that are in use by a proxy or firewall policy with proxy mode. Please see the following link for more information from Fortinet.
What the Cyber Fusion Center (CFC) is doing
The CFC will continue to keep up to date with this vulnerability to provide further updates as they become available.
The CFC is also coordinating with our vulnerability scanning partner to deploy plugins capable of identifying unpatched systems and assets vulnerable to CVE-2023-33308. Once available, organizations with the CFC Vulnerability Scanning service will be able to validate their exposure using the results from the scan.
Sources
- http://www.fortiguard.com/psirt/FG-IR-23-183
- https://www.cisa.gov/news-events/alerts/2023/07/11/fortinet-releases-security-update-fortios-and-fortiproxy
- https://docs.fortinet.com/document/fortigate/7.0.0/new-features/710924/http-2-support-in-proxy-mode-ssl-inspection
- https://www.tenable.com/plugins/nessus/178148
- https://www.tenable.com/plugins/nessus/73522
Kudelski Security Research 