{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-015.pdf"
    },
    "title": "RCE Vulnerability in Fortinet Products",
    "serial_number": "2023-015",
    "publish_date": "08-03-2023 22:15:00",
    "description": "On March 7, 2023, Fortinet released an advisory regarding one critical vulnerability in FortiOS and FortiProxy administrative interface. This vulnerability is identified as CVE-2023-25610 (CVSS score of 9.3) and it may allow remote unauthenticated attackers to execute arbitrary code on the device and/or to perform a DoS on the GUI. Fortinet is not aware of any instance where this vulnerability was exploited in the wild.",
    "url_title": "2023-015",
    "content_markdown": "--- \ntitle: 'RCE Vulnerability in Fortinet Products'\nversion: '1.0'\nnumber: '2023-015'\noriginal_date: 'March 7, 2023'\ndate: 'March 8, 2023'\n---\n\n_History:_\n\n* _08/03/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn March 7, 2023, Fortinet released an advisory regarding one critical vulnerability in FortiOS and FortiProxy administrative interface. This vulnerability is identified as `CVE-2023-25610` (CVSS score of 9.3) and it may allow remote unauthenticated attackers to execute arbitrary code on the device and/or to perform a DoS on the GUI [1].\n\nFortinet is not aware of any instance where this vulnerability was exploited in the wild.\n\n# Technical Details\n\nThe vulnerability `CVE-2023-25610` is caused by a heap buffer underflow in the administrative interface, and may allow an unauthenticated attacker to execute arbitrary code on the device and/or to perform a DoS on the GUI, via specifically crafted requests.\n\n# Affected Products\n\nThe following devices/software versions are vulnerable to both arbitrary code execution, and DoS:\n\n- FortiOS version 7.2.0 through 7.2.3\n- FortiOS version 7.0.0 through 7.0.9\n- FortiOS version 6.4.0 through 6.4.11\n- FortiOS version 6.2.0 through 6.2.12\n- FortiOS 6.0 all versions\n- FortiProxy version 7.2.0 through 7.2.2\n- FortiProxy version 7.0.0 through 7.0.8\n- FortiProxy version 2.0.0 through 2.0.11\n- FortiProxy 1.2 all versions\n- FortiProxy 1.1 all versions\n\nThere are additional devices/software versions listed in the advisory [1] that are *only* impacted by the DoS part of the issue, *not* by the arbitrary code execution. Please check the extended list.\n\n# Recommendations\n\nUpgrade FortiOS & FortiProxy products to:\n\n- FortiOS version 7.4.0 or above\n- FortiOS version 7.2.4 or above\n- FortiOS version 7.0.10 or above\n- FortiOS version 6.4.12 or above\n- FortiOS version 6.2.13 or above\n- FortiProxy version 7.2.3 or above\n- FortiProxy version 7.0.9 or above\n- FortiProxy version 2.0.12 or above\n- FortiOS-6K7K version 7.0.10 or above\n- FortiOS-6K7K version 6.4.12 or above\n- FortiOS-6K7K version 6.2.13 or above\n\n# Workarounds\n\nA workaround is available for FortiOS [1]:\n\n- Disable HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface;\n- Create an Address Group, then create the Local in Policy to restrict access only to the predefined group on management interface.\n\nWhen using a HA reserved management interface, the local-in policy needs to be configured slightly differently [2].\n\n# References\n\n[1] <https://www.fortiguard.com/psirt/FG-IR-23-001>\n\n[2] <https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>08/03/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 7, 2023, Fortinet released an advisory regarding one critical vulnerability in FortiOS and FortiProxy administrative interface. This vulnerability is identified as <code>CVE-2023-25610</code> (CVSS score of 9.3) and it may allow remote unauthenticated attackers to execute arbitrary code on the device and/or to perform a DoS on the GUI [1].</p><p>Fortinet is not aware of any instance where this vulnerability was exploited in the wild.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <code>CVE-2023-25610</code> is caused by a heap buffer underflow in the administrative interface, and may allow an unauthenticated attacker to execute arbitrary code on the device and/or to perform a DoS on the GUI, via specifically crafted requests.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following devices/software versions are vulnerable to both arbitrary code execution, and DoS:</p><ul><li>FortiOS version 7.2.0 through 7.2.3</li><li>FortiOS version 7.0.0 through 7.0.9</li><li>FortiOS version 6.4.0 through 6.4.11</li><li>FortiOS version 6.2.0 through 6.2.12</li><li>FortiOS 6.0 all versions</li><li>FortiProxy version 7.2.0 through 7.2.2</li><li>FortiProxy version 7.0.0 through 7.0.8</li><li>FortiProxy version 2.0.0 through 2.0.11</li><li>FortiProxy 1.2 all versions</li><li>FortiProxy 1.1 all versions</li></ul><p>There are additional devices/software versions listed in the advisory [1] that are <em>only</em> impacted by the DoS part of the issue, <em>not</em> by the arbitrary code execution. Please check the extended list.</p><h2 id=\"recommendations\">Recommendations</h2><p>Upgrade FortiOS &amp; FortiProxy products to:</p><ul><li>FortiOS version 7.4.0 or above</li><li>FortiOS version 7.2.4 or above</li><li>FortiOS version 7.0.10 or above</li><li>FortiOS version 6.4.12 or above</li><li>FortiOS version 6.2.13 or above</li><li>FortiProxy version 7.2.3 or above</li><li>FortiProxy version 7.0.9 or above</li><li>FortiProxy version 2.0.12 or above</li><li>FortiOS-6K7K version 7.0.10 or above</li><li>FortiOS-6K7K version 6.4.12 or above</li><li>FortiOS-6K7K version 6.2.13 or above</li></ul><h2 id=\"workarounds\">Workarounds</h2><p>A workaround is available for FortiOS [1]:</p><ul><li>Disable HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface;</li><li>Create an Address Group, then create the Local in Policy to restrict access only to the predefined group on management interface.</li></ul><p>When using a HA reserved management interface, the local-in policy needs to be configured slightly differently [2].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-23-001\">https://www.fortiguard.com/psirt/FG-IR-23-001</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005\">https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}