Vulnerability

CERT-In Vulnerability Note CIVN-2023-0392
Multiple Vulnerabilities in Fortinet Products

Original Issue Date:December 29, 2023

Severity Rating: HIGH

Software Affected

Fortinet FortiOS 6.0.0
Fortinet FortiOS 6.2.0
Fortinet FortiOS 6.4.0
Fortinet FortiProxy 2.0.0
Fortinet FortiOS 7.0.0
Fortinet FortiProxy 7.0.0
Fortinet FortiOS 7.2.0
Fortinet FortiOS 6.4.9
Fortinet FortiProxy 7.0.6
Fortinet FortiOS 7.0.7
Fortinet FortiProxy 2.0.10
Fortinet FortiPAM 1.1.0

Overview

Multiple Vulnerabilities have been reported in FortiOS, Fortinet FortiProxy and Fortinet FortiPAM which could allow a remote attacker to execute arbitrary code and bypass security restrictions on targeted system.

Description

These Vulnerabilities exist in FortiOS, Fortinet FortiProxy and Fortinet FortiPAM due to use of externally-controlled format strings, double free and improper access control. A remote attacker could exploit these vulnerabilities to execute arbitrary code or commands via specially crafted API requests and bypass the firewall deny geolocalization policy during aGeoIP database update on the system.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code and bypass security restrictions on targeted system.

Solution

Apply appropriate updates as mentioned in:
https://www.fortiguard.com/psirt/FG-IR-23-138

https://www.fortiguard.com/psirt/FG-IR-23-432

https://www.fortiguard.com/psirt/FG-IR-23-196

Vendor Information

Fortiguard
https://www.fortiguard.com/psirt/FG-IR-23-138
https://www.fortiguard.com/psirt/FG-IR-23-432
https://www.fortiguard.com/psirt/FG-IR-23-196

References

Fortiguard
https://www.fortiguard.com/psirt/FG-IR-23-138
https://www.fortiguard.com/psirt/FG-IR-23-432
https://www.fortiguard.com/psirt/FG-IR-23-196

CVE Name
CVE-2023-36639
CVE-2023-47536
CVE-2023-41678

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India