Full Report
CVE-2023-25610 is a critical RCE vulnerability in FortiOS. This vulnerability is a buffer underwrite bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests. Affected customers should patch immediately.
Analysis Summary
# Vulnerability: Critical RCE via Buffer Underwrite in FortiOS/FortiProxy Administrative Interface
## CVE Details
- CVE ID: CVE-2023-25610
- CVSS Score: Not explicitly provided, but described as **critical** leading to RCE. (Likely high severity based on impact)
- CWE: Buffer Underwrite (related to Buffer Overflow/Out-of-bounds Write)
## Affected Systems
- Products: FortiOS, FortiProxy, FortiOS-6K7K
- Versions:
- FortiOS: 7.2.0 - 7.2.3, 7.0.0 - 7.0.9, 6.4.0 - 6.4.11, 6.2.0 - 6.2.12, 6.0 (all versions)
- FortiProxy: 7.2.0 - 7.2.2, 7.0.0 - 7.0.8, 2.0.0 - 2.0.11, 1.2 (all versions), 1.1 (all versions)
- FortiOS-6K7K: Specific patched versions listed below imply exposure across similar version branches.
- Configurations: Affects the administrative interface.
## Vulnerability Description
The vulnerability is a buffer underwrite (underflow) bug located in the administrative interface of FortiOS and FortiProxy. This flaw occurs when the system writes data into a buffer that is smaller than the data being written, causing adjacent memory to be overwritten. A remote, unauthenticated attacker can exploit this by sending specially crafted HTTP/HTTPS requests to the administrative interface, potentially leading to Remote Code Execution (RCE) or Denial of Service (DoS) against the GUI.
## Exploitation
- Status: **PoC available** (Published March 11, 2023). Exploitation in the wild is highly anticipated due to the critical nature and public PoC.
- Complexity: Likely **Low** for triggering the condition, given the ability of an unauthenticated remote attacker to reach the administrative interface.
- Attack Vector: **Network** (Remote, Unauthenticated)
## Impact
- Confidentiality: High (Potential for arbitrary code execution allows for data exfiltration)
- Integrity: High (Potential for arbitrary code execution allows for system modification)
- Availability: High (Potential for DoS, specifically against the management GUI)
## Remediation
### Patches
Upgrade vulnerable products to the following minimum versions:
* **FortiOS:** 7.4.0 or above, 7.2.4 or above, 7.0.10 or above, 6.4.12 or above, 6.2.13 or above
* **FortiProxy:** 7.2.3 or above, 7.0.9 or above, 2.0.12 or above
* **FortiOS-6K7K:** 7.0.10 or above, 6.4.12 or above, 6.2.13 or above
### Workarounds
If upgrading is not immediately possible:
1. Disable the HTTP/HTTPS administrative interface entirely.
2. Limit IP addresses that can access the administrative interface by configuring allowed addresses and using local-in policies to restrict access to only predefined management groups on the desired interface (e.g., `port1`).
## Detection
- Indicators of Compromise: Look for unusual traffic directed at the management interface (ports 80/443/custom GUI ports) containing malformed HTTP requests targeting the administrative functions.
- Detection methods and tools: Wiz customers can use the pre-built query in the Wiz Threat Center to scan for vulnerable instances. Security teams should monitor firewall/WAF logs for request patterns known to exploit buffer underwrites against administrative endpoints.
## References
- Vendor Advisories: https://www.fortiguard.com/psirt/FG-IR-23-001
- PoC Reference: https://github.com/qi4L/CVE-2023-25610