Other official information and services: www.belgium.be

WARNING: NEW RCE VULNERABILITIES AFFECTING FORTIWEB, FORTIPROXY AND FORTIOS, PATCH AND VERIFY YOUR SYSTEMS ASAP!

Reference:

Advisory #2023-110

Version:

1.0

Affected software:

FortiProxy version 7.2.0 through 7.2.4

FortiProxy version 7.0.0 through 7.0.10

FortiOS version 7.2.0 through 7.2.4

FortiOS version 7.0.0 through 7.0.11

FortiOS version 6.4.0 through 6.4.12

FortiOS version 6.2.0 through 6.2.14FortiWeb version 7.2.0 through 7.2.1

FortiWeb version 7.0.0 through 7.0.6

FortiWeb 6.4 all versions

FortiWeb 6.3 all versions

Type:

Remote Code Execution (RCE)

CVE/CVSS:

CVE-2023-29183

CVSS score: 7.3 (high)

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Date:

20/09/2023

Sources

https://fortiguard.com/psirt/FG-IR-23-068

https://www.fortiguard.com/psirt/FG-IR-23-106

Risks

FortiNet released a security fix to patch two vulnerabilities leading to remote code execution. Both vulnerabilities have a high impact on all vertices of the CIA triad (Confidentiality, Integrity, Availability).

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that exploitation of these flaws could lead to full system compromise.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyze system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.

Description

CVE-2023-29183 is an improper neutralization of input vulnerability. The flaw affects FortiOS and FortiProxy. Both are products of Fortinet’s. An authenticated attacker who successfully exploits this vulnerability could trigger malicious JavaScript code execution via crafted guest management setting.

CVE-2023-34984 is a failure in the protection mechanism of FortiWeb, a web application firewall from FortiNet. Successfully exploiting this vulnerability may allow an attacker to bypass XSS (cross-site scripting) and CSRF (cross-site request forgery) protections.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends upgrading your software:

For CVE-2023-34984

Upgrade to FortiWeb version 7.2.2 or above

Upgrade to FortiWeb version 7.0.7 or above

For CVE-2023-29183

Upgrade to FortiProxy version 7.2.5 or above

Upgrade to FortiProxy version 7.0.11 or above

Upgrade to FortiOS version 7.4.0 or above

Upgrade to FortiOS version 7.2.5 or above

Upgrade to FortiOS version 7.0.12 or above

Upgrade to FortiOS version 6.4.13 or above

Upgrade to FortiOS version 6.2.15 or above