Updated: July 15, 2023

Overview

Fortinet has disclosed a critical stack-based overflow vulnerability (CVE-2023-33308 CVSS score 9.8) in FortiOS and FortiProxy. This vulnerability may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. CISA encourages users and administrators to review the Fortinet security release FG-IR-23-183 and apply the necessary updates. This vulnerability has been actively exploited in the wild, so it is critical that users and administrators apply the security update as soon as possible.

Impact

The impact of CVE-2023-33308, a critical vulnerability in Fortinet’s FortiOS and FortiProxy software, can be severe. If exploited, an attacker could execute arbitrary code on the affected system, which could lead to a number of consequences, including data theft, compromise of Systems, Denial of service, and Remote control of the affected system.

The vulnerability affects proxy policies and/or firewall policies with proxy mode and SSL deep packet inspection enabled. An attacker can send crafted packets to trigger a stack-based buffer overflow condition, which can eventually lead to remote execution of arbitrary code or commands. A proof-of-concept exploit for CVE-2023-33308 was shared on a hacking forum on June 27, 2023. The exploit was reportedly tested against a vulnerable FortiGate firewall and was able to successfully execute arbitrary code. 

Applicable Versions

Affected versions: 

  • FortiOS version 7.2.0 through 7.2.3
  • FortiOS version 7.0.0 through 7.0.10
  • FortiProxy version 7.2.0 through 7.2.2
  • FortiProxy version 7.0.0 through 7.0.9

Fixed versions:

  • FortiOS version 7.4.0 or above
  • FortiOS version 7.2.4 or above
  • FortiOS version 7.0.11 or above
  • FortiProxy version 7.2.3 or above
  • FortiProxy version 7.0.10 or above

Mitigations and Workarounds

Apply the security fixed update as soon as possible to the FortiOS and FortiProxy devices. Until the patch can be applied, the workaround to prevent exploitation of the vulnerability is to disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode. 

Example with custom-deep-inspection profile:

config firewall ssl-ssh-profile 

   edit "custom-deep-inspection" 

      set supported-alpn http1-1 

   next 

End

View the Fortinet publication for more details.

Best Practices

Here are some best practices to prevent CVE-2023-33308 from being exploited and lessen the impact:

  • Apply the security update as soon as possible. This is the most important step to protect your system from this vulnerability. The security update can be downloaded from the Fortinet website. 
  • Disable proxy mode and SSL deep packet inspection if you are not using them. This will help to prevent attackers from exploiting the vulnerability. 
  •  Keep your software up to date. Fortinet releases security updates regularly to address vulnerabilities. Make sure that you are installing the latest updates as soon as they are available. 
  • Monitor your system for suspicious activity. If you see any unusual activity, such as a sudden increase in traffic or a new process running, investigate it immediately.

By following these best practices, you can help to prevent CVE-2023-33308 from being exploited and minimize the impact if it is exploited. 

Netsurion Detection and Response

Netsurion researchers are continuously monitoring the exploits of this vulnerability. Our security analysts will be adding the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion’s Threat Center, our Threat Intelligence Platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses to detect the exploitation of this vulnerability. Netsurion’s vulnerability management system will also detect the vulnerability (CVE-2023-33308) for customers who have subscribed to Netsurion Vulnerability Management. 


References:

  1. https://www.fortiguard.com/psirt/FG-IR-23-183
  2. https://thehackernews.com/2023/06/critical-fortios-and-fortiproxy.html
  3. https://www.cisa.gov/news-events/alerts/2023/07/11/fortinet-releases-security-update-fortios-and-fortiproxy
  4. https://www.obrela.com/cve-2023-33308-vulnerability-in-fortios-fortiproxy/
  5. https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaw-in-fortios-fortiproxy-devices/