There's a critical vulnerability in Fortinet Products. Here's what you need to know.
Background
Fortinet released an advisory detailing a critical security flaw (CVE-2023-25610) in their FortiOS and FortiProxy administrative interface. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Corvus has observed similar vulnerabilities lead to ransomware incidents. Security patches have been released and should be applied as soon as possible.
Impact
The vulnerability affects the following Fortinet products and versions:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS version 6.2.0 through 6.2.12
- FortiOS 6.0 all versions
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.8
- FortiProxy version 2.0.0 through 2.0.11
- FortiProxy 1.2 all versions
- FortiProxy 1.1 all versions
Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. Impacted organizations should apply a security patch immediately.
Next Steps
- Download and install the latest version of the affected products:
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.10 or above
- FortiOS version 6.4.12 or above
- FortiOS version 6.2.13 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.9 or above
- FortiProxy version 2.0.12 or above
- FortiOS-6K7K version 7.0.10 or above
- FortiOS-6K7K version 6.4.12 or above
- FortiOS-6K7K version 6.2.13 or above
- If you aren't able to immediately upgrade, the following workaround can be applied for FortiOS:
- Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface:config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
end -
Then create an Address Group:
config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end -
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end -
If using non default ports, create appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
endUse these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.
When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005
Please contact Fortinet customer support for assistance.
- Disable HTTP/HTTPS administrative interface