CRITICAL VULNERABILITY affecting Fortinet Products

?

e2e-assure would like to draw your attention to CVE-2023-33308, a critical ‘remote code execution’ vulnerability (CVSS 9.8) in FortiOS and FortiProxy, the embedded operating system and gateway software installed on Fortinet devices.?

Attackers may use specially-crafted packets to exploit a stack-based buffer overflow vulnerability, resulting in the ability to execute ‘arbitrary code’ (i.e. code or commands of their choice).?

An immediate workaround is available, effected by disabling HTTP/2 support on SSL Inspection profiles in use by proxy policies, or by firewall policies with proxy mode enabled. More information on this can be found here.

The vendor recommends the following command set to achieve this:?

config firewall ssl-ssh-profile?

edit “custom-deep-inspection’?

Set support-alpn http1-1?

next?

end?

?

This affects all version of FortiOS between 7.0.0 to 7.0.10 & 7.2.0 to 7.2.3 and all version of FortiProxy between 7.0.0 to 7.0.9 & 7.2.0 to 7.2.2. You should look to perform an emergency out-of-band update to the patched versions, available from the vendor or via your MSP.

The vendor’s threat brief is available here.?

e2e-assure are ready to help you with this, please get in touch if you require further advice or assistance.?