On July 11th, 2023, Fortinet published a security advisory detailing a remote code execution vulnerability affecting FortiOS and FortiProxy (CVE-2023-33308). This stack-based overflow vulnerability affects proxy policies and/or firewall policies with proxy mode and SSL deep packet inspection enabled. This CVE was discovered and responsibly disclosed to Fortinet by security researchers. At this time, exploitation has not been observed in the wild, and a proof of concept (PoC) exploit has not been published publicly.
If you are an ISG customer that utilizes our firewall management services, we have already addressed these vulnerabilities unless we haven’t been able to reach you. Please contact us or reach out to your ISG representative to schedule service or if you need assistance.
Summary
As demonstrated in CISA’s Known Exploited Vulnerabilities Catalog, threat actors have actively exploited Fortinet vulnerabilities in the past. Due to the severity of the vulnerability and the fact that similar vulnerabilities have been weaponized by threat actors, ISG and our security partners strongly recommend upgrading to the latest available versions of FortiOS and FortiProxy on all affected devices.
Impacted Products
Products | Vulnerable Versions | Patched Versions |
FortiOS | 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.10, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 | FortiOS version 7.4.0 or above FortiOS version 7.2.4 or above FortiOS version 7.0.11 or above |
FortiProxy | 7.2.2, 7.2.1, 7.2.0, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 | FortiProxy version 7.2.3 or above FortiProxy version 7.0.10 or above |
ISG Technology is working with our security partners to monitor intelligence sources for campaigns linked to active exploitation of this vulnerability.
Recommendations
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
Recommendation #1: Upgrade to the Most Recent Version Release
ISG and our security partners strongly recommend updating to one of the following versions outlined in the table below to remediate the newly discovered vulnerability
Products | Vulnerable Versions | Patched Versions |
FortiOS | 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.10, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 | FortiOS version 7.4.0 or above FortiOS version 7.2.4 or above FortiOS version 7.0.11 or above |
FortiProxy | 7.2.2, 7.2.1, 7.2.0, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 | FortiProxy version 7.2.3 or above FortiProxy version 7.0.10 or above |
Workaround: Disable HTTP/2 support on SSL Inspection Profiles
If you are unable to upgrade to the versions above, Fortinet recommends in their advisory to disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode, to mitigate the vulnerability.
Fortinet’s example with custom-deep-inspection profile:
References
Please see the following references for more information.
Need Help?
If you need help with any of these patches, please contact us or talk to your ISG Representative.