Fortinet releases fixes for critical flaws in FortiOS and FortiProxy
Take action: Once again Fortinet products are exposed to critical vulnerability. Do not delay applying the patch since a lot of hacker groups have become very skilled in automating the attacks on all Fortinet products as an attack vector for entire networks.
Learn More
Fortinet has disclosed a critical vulnerability and issued a fix for a vulnerability in FortiOS and FortiProxy.
- CVE-2023-33308 (CVSS score 9.8) - vulnerability that allows remote attackers to execute arbitrary code on vulnerable devices. The flaw is characterized as a stack-based overflow vulnerability (CWE-124), which can be exploited by crafted packets that reach proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.
A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection."
The impacted versions of FortiOS include:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.10
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.9
The following versions address the vulnerability:
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.11 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.10 or above
To mitigate the vulnerability, the advisory suggests a workaround that involves disabling HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.
