FortiOS & FortiProxy Out-of-bounds Write Vulnerability in Captive Portal (CVE-2023-42789 & CVE-2023-42790)

Qualys Security Advisory

Fortinet has released a patch to address two vulnerabilities impacting FortiOS and FortiProxy. Tracked as CVE-2023-42789 & CVE-2023-42790, the vulnerabilities are given a critical severity rating with a CVSS score of 9.3. Successful exploitation of the vulnerabilities may allow an attacker to execute unauthorized code.

The brain of Fortinet Security Fabric is its network operating system, FortiOS. The Security Fabric’s operating system, or software, connects all its parts and ensures tight integration throughout the deployment of the Security Fabric across an enterprise.

FortiProxy is a secure web proxy that protects employees against internet-borne attacks using several detection methods like web filtering, DNS filtering, data loss prevention, antivirus, intrusion prevention, and sophisticated threat protection.

Vulnerability Details

An out-of-bounds write, and a Stack-based Buffer Overflow in FortiOS & FortiProxy captive portal may allow an inside attacker with access to the captive portal to execute arbitrary code or commands via specially crafted HTTP requests.

Affected Versions

  • FortiOS version 7.4.0 through 7.4.1
  • FortiOS version 7.2.0 through 7.2.5
  • FortiOS version 7.0.0 through 7.0.12
  • FortiOS version 6.4.0 through 6.4.14
  • FortiOS version 6.2.0 through 6.2.15
  • FortiProxy version 7.4.0
  • FortiProxy version 7.2.0 through 7.2.6 
  • FortiProxy version 7.0.0 through 7.0.12
  • FortiProxy version 2.0.0 through 2.0.13

Mitigation

Customers should upgrade to the following versions to patch the vulnerability:

  • FortiOS version 7.4.2 or above
  • FortiOS version 7.2.6 or above
  • FortiOS version 7.0.13 or above
  • FortiOS version 6.4.15 or above
  • FortiOS version 6.2.16 or above
  • FortiProxy version 7.4.1 or above
  • FortiProxy version 7.2.7 or above
  • FortiProxy version 7.0.13 or above
  • FortiProxy version 2.0.14 or above

Fortinet in Q3/23 has remediated this issue in FortiSASE version 23.3.b; hence, the customers need not perform any action.

Virtual Patch named “FortiOS.Captive.Portal.Out.Of.Bounds.Write.” is available in FMWP db update 23.105.

Please refer to the Fortinet PSIRT Advisory (FG-IR-23-328) for more information.

Workaround

Set a non-form-based authentication scheme:
config authentication scheme
edit scheme
set method method
next
end

Where can be any of those:
ntml NTLM authentication.
basic Basic HTTP authentication.
digest Digest HTTP authentication.
negotiate Negotiate authentication.
fsso Fortinet Single Sign-On (FSSO) authentication.
rsso RADIUS Single Sign-On (RSSO) authentication.
ssh-publickey Public key based SSH authentication.
cert Client certificate authentication.
saml SAML authentication

Qualys Detection

Qualys customers can scan their devices with QID 44176 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

Reference
https://www.fortiguard.com/psirt/FG-IR-23-328

READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *