Fortinet Vulnerability Alert | March 2023

There's a critical vulnerability in Fortinet Products. Here's what you need to know.

Background

Fortinet released an advisory detailing a critical security flaw (CVE-2023-25610) in their FortiOS and FortiProxy administrative interface. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Corvus has observed similar vulnerabilities lead to ransomware incidents. Security patches have been released and should be applied as soon as possible.

Impact

The vulnerability affects the following Fortinet products and versions:

  • FortiOS version 7.2.0 through 7.2.3
  • FortiOS version 7.0.0 through 7.0.9
  • FortiOS version 6.4.0 through 6.4.11
  • FortiOS version 6.2.0 through 6.2.12
  • FortiOS 6.0 all versions
  • FortiProxy version 7.2.0 through 7.2.2
  • FortiProxy version 7.0.0 through 7.0.8
  • FortiProxy version 2.0.0 through 2.0.11
  • FortiProxy 1.2 all versions
  • FortiProxy 1.1 all versions 

Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. Impacted organizations should apply a security patch immediately.

Next Steps

  1. Download and install the latest version of the affected products:
    • FortiOS version 7.4.0 or above
    • FortiOS version 7.2.4 or above
    • FortiOS version 7.0.10 or above
    • FortiOS version 6.4.12 or above
    • FortiOS version 6.2.13 or above
    • FortiProxy version 7.2.3 or above
    • FortiProxy version 7.0.9 or above
    • FortiProxy version 2.0.12 or above
    • FortiOS-6K7K version 7.0.10 or above
    • FortiOS-6K7K version 6.4.12 or above
    • FortiOS-6K7K version 6.2.13 or above
  2. If you aren't able to immediately upgrade, the following workaround can be applied for FortiOS:
    1. Disable HTTP/HTTPS administrative interface
      OR
      Limit IP addresses that can reach the administrative interface:
      config firewall address
      edit "my_allowed_addresses"
      set subnet <MY IP> <MY SUBNET>
      end

       

    2. Then create an Address Group:

      config firewall addrgrp
      edit "MGMT_IPs"
      set member "my_allowed_addresses"
      end

       

    3. Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

      config firewall local-in-policy
      edit 1
      set intf port1
      set srcaddr "MGMT_IPs"
      set dstaddr "all"
      set action accept
      set service HTTPS HTTP
      set schedule "always"
      set status enable
      next
      edit 2
      set intf "any"
      set srcaddr "all"
      set dstaddr "all"
      set action deny
      set service HTTPS HTTP
      set schedule "always"
      set status enable
      end

       

    4. If using non default ports, create appropriate service object for GUI administrative access:

      config firewall service custom
      edit GUI_HTTPS
      set tcp-portrange <admin-sport>
      next
      edit GUI_HTTP
      set tcp-portrange <admin-port>
      end

       

      Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

      When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005


      Please contact Fortinet customer support for assistance.