Fortigate remote code execution vulnerability

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

4:10pm, 13 July 2023

TLP Rating: Clear

Fortigate remote code execution vulnerability

A vulnerability has been discovered that affects FortiGate devices running FortiOS and FortiProxy.

This stack-based buffer overflow vulnerability allows for an attacker to run unauthorised code or commands remotely on the affected system.

The vulnerability is tracked as CVE-2023-33308.

What to look for

How to tell if you're at risk

All FortiGate devices running the following FortiOS and FortiProxy versions.

  • FortiOS version 7.2.0 through 7.2.3.
  • FortiOS version 7.0.0 through 7.0.10.
  • FortiProxy version 7.2.0 through 7.2.2.
  • FortiProxy version 7.0.0 through 7.0.9.

What to do

Prevention

Upgrade your devices running FortiOS or FortiProxy to the latest version as soon as possible.

Please upgrade to:

  • FortiOS version 7.4.0 or above,
  • FortiOS version 7.2.4 or above,
  • FortiOS version 7.0.11 or above,
  • FortiProxy version 7.2.3 or above,
  • FortiProxy version 7.0.10 or above.

Mitigation

Disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.

Example with custom-deep-inspection profile:

config firewall ssl-ssh-profile

edit "custom-deep-inspection"

set supported-alpn http1-1

next

end

For more information see the Fortigate page on HTTP/2 support in proxy mode.

HTTP/2 support in proxy mode SSL inspection | FortiGate / FortiOS 7.0.0 (fortinet.com) External Link

More information

Official information released by Fortinet will be available here:

PSIRT Advisories | FortiGuard External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link