Fortinet has addressed a critical vulnerability in FortiOS and FortiProxy, among other security flaws. The vulnerability, tracked as CVE-2023-25610, is rated 9.3 out of 10 in severity and could allow a remote unauthenticated attacker to execute arbitrary code on the device or perform a DoS on the GUI.
Underflow bugs occur when input data is shorter than the reserved space, leading to unpredictable behavior or leakage of sensitive data from memory.
Fortinet has not received any reports of malicious exploitation attempts against the flaw, but users are advised to apply the patches quickly. Workarounds include disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it.
The vulnerability in FortiOS and FortiProxy affects several versions, including FortiOS versions 6.0 to 7.2.3 and FortiProxy versions 1.1 to 7.2.2.
Fixes are available in FortiOS versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0, FortiOS-6K7K versions 6.2.13, 6.4.12, and 7.0.10, and FortiProxy versions 2.0.12, 7.0.9, and 7.0.9.
Buffer underwrite vulnerabilities are not uncommon, and they can be exploited to execute arbitrary code or cause a denial of service attack.
Fortinet has recommended that users disable the HTTP/HTTPS administrative interface or limit IP addresses that can reach it as a temporary workaround.
The company is urging users to apply the patches quickly, given that prior flaws in software have come under active abuse in the wild.
This is not the first time that Fortinet has issued fixes for several vulnerabilities. In recent weeks, the company has fixed 40 vulnerabilities, two of which are critical and impact FortiNAC and FortiWeb products.
