Critical Vulnerabilities Affecting FortiOS, FortiProxy, and FortiClientEMS
Background
Five Fortinet advisories that address vulnerabilities in a variety of products, such as FortiOS and FortiProxy SSLVPN, FortiWLM MEA for FortiManager, and FortiClientEMS, have been highlighted by CISA.
FortiOS, the network operating system, is the brains behind Fortinet Security Fabric. The Security Fabric’s operating system, or software, serves as the link between all its components and guarantees tight integration when the Security Fabric is deployed throughout an organization.
Using various detection techniques, including web filtering, DNS filtering, data loss prevention, antivirus, intrusion prevention, and sophisticated threat protection, FortiProxy is a secure web proxy that guards workers against online threats.
A security management tool FortiClient Endpoint Management Server (FortiClient EMS) enables customers to centrally and scalable manage several endpoints, or PCs. It gives users insight throughout the network and gives them the ability to diagnose FortiClient EMS, manage devices automatically, and set security profiles to endpoints.
CVE-2023-42789 and CVE-2023-42790
While CVE-2023-42790 is categorized as a stack-based buffer overflow, CVE-2023-42789 is an Out-of-Bounds Write issue. There is a significant risk when both vulnerabilities are fixed in one advisory.
By using these flaws, internal attackers who get access to the captive portal may be able to use specially crafted HTTP requests to execute unauthorized code or commands.
Fortinet has made a patch available to fix two vulnerabilities that affect FortiOS and FortiProxy. The vulnerabilities, identified as CVE-2023-42789 & CVE-2023-42790, have a CVSS score of 9.3, indicating a critical severity level. If the vulnerabilities are successfully exploited, an attacker might be able to run unauthorized code.
Affected versions
- FortiOS version 7.4.0 through 7.4.1
- FortiOS version 7.2.0 through 7.2.5
- FortiOS version 7.0.0 through 7.0.12
- FortiOS version 6.4.0 through 6.4.14
- FortiOS version 6.2.0 through 6.2.15
- FortiProxy version 7.4.0
- FortiProxy version 7.2.0 through 7.2.6
- FortiProxy version 7.0.0 through 7.0.12
- FortiProxy version 2.0.0 through 2.0.13
Workaround and Mitigation
To fix the vulnerability, users need to update to the following versions:
- FortiOS version 7.4.2 or above
- FortiOS version 7.2.6 or above
- FortiOS version 7.0.13 or above
- FortiOS version 6.4.15 or above
- FortiOS version 6.2.16 or above
- FortiProxy version 7.4.1 or above
- FortiProxy version 7.2.7 or above
- FortiProxy version 7.0.13 or above
- FortiProxy version 2.0.14 or above
Customers don’t need to take any action as Fortinet resolved this issue in FortiSASE version 23.3.b in Q3/23.
FMWP database update 23.105 includes a virtual patch designated “FortiOS.Captive.Portal.Out.Of.Bounds.Write.”
In its advisory, Fortinet offers a remedy for CVE-2023-42789 and CVE-2023-42790 that entails setting up a non-form-based authentication system. This workaround can be implemented by users by configuring the authentication scheme approach as shown below:
config authentication scheme
edit scheme
set method method
next
end
Where can be any of those:
- ntml NTLM authentication.
- basic Basic HTTP authentication.
- digest Digest HTTP authentication.
- negotiate Negotiate authentication.
- fsso Fortinet Single Sign-On (FSSO) authentication.
- rsso RADIUS Single Sign-On (RSSO) authentication.
- ssh-publickey Public key based SSH authentication.
- cert Client certificate authentication.
- saml SAML authentication
CVE-2023-42789 and CVE-2023-42790
A critical severity vulnerability affecting the FortiClient Enterprise Management Server was fixed by Fortinet. The flaw, identified as CVE-2023-48788, might provide an attacker access to compromised systems and allow them to execute code. A CVSS score of 9.3 has been assigned to the vulnerability.
The second vulnerability in FortiClientEMS, CVE-2023-47534, relates to incorrectly neutralizing formula components within a CSV file. This vulnerability allowed a remote, unauthenticated attacker to create malicious log entries with forged requests to the server, which would allow the attacker to execute arbitrary commands on the admin workstation. A CVSS score of 8.7 has been assigned to the vulnerability.
Affected versions
- FortiClientEMS 7.2.0 through 7.2.2
- FortiClientEMS 7.0.1 through 7.0.10
Mitigation
To fix the vulnerability, users need to update to the following versions:
- FortiClient EMS 7.2.3 or above
- FortiClient EMS 7.0.11 or above
References
https://fortiguard.fortinet.com/psirt/FG-IR-24-007
https://www.fortiguard.com/psirt/FG-IR-23-328