===================================================================== CERT-Renater Note d'Information No. 2024/VULN118 _____________________________________________________________________ DATE : 13/03/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): FortiOS versions prior to 7.4.2, 7.2.7, 7.0.13, 6.4.15, 6.2.16, FortiProxy versions prior to 7.4.3, 7.2.9, 7.0.15, 2.0.14. ===================================================================== https://fortiguard.fortinet.com/psirt/FG-IR-23-328 https://fortiguard.fortinet.com/psirt/FG-IR-24-013 https://fortiguard.fortinet.com/psirt/FG-IR-23-424 _____________________________________________________________________ FortiOS & FortiProxy - Out-of-bounds Write in captive portal IR Number : FG-IR-23-328 Date : Mar 12, 2024 Severity : Critical CVSSv3 Score : 9.3 Impact : Execute unauthorized code or commands CVE ID : CVE-2023-42789 CVE-2023-42790 Summary An out-of-bounds write vulnerability [CWE-787] and a Stack-based Buffer Overflow [CWE-121] in FortiOS & FortiProxy captive portal may allow an inside attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests. Workaround: Set a non form-based authentication scheme: config authentication scheme edit scheme set method method next end Where can be any of those : ntlm NTLM authentication. basic Basic HTTP authentication. digest Digest HTTP authentication. negotiate Negotiate authentication. fsso Fortinet Single Sign-On (FSSO) authentication. rsso RADIUS Single Sign-On (RSSO) authentication. ssh-publickey Public key based SSH authentication. cert Client certificate authentication. saml SAML authentication Affected Products FortiOS version 7.4.0 through 7.4.1 FortiOS version 7.2.0 through 7.2.5 FortiOS version 7.0.0 through 7.0.12 FortiOS version 6.4.0 through 6.4.14 FortiOS version 6.2.0 through 6.2.15 FortiProxy version 7.4.0 FortiProxy version 7.2.0 through 7.2.6 FortiProxy version 7.0.0 through 7.0.12 FortiProxy version 2.0.0 through 2.0.13 Solutions Please upgrade to FortiOS version 7.4.2 or above Please upgrade to FortiOS version 7.2.6 or above Please upgrade to FortiOS version 7.0.13 or above Please upgrade to FortiOS version 6.4.15 or above Please upgrade to FortiOS version 6.2.16 or above Please upgrade to FortiProxy version 7.4.1 or above Please upgrade to FortiProxy version 7.2.7 or above Please upgrade to FortiProxy version 7.0.13 or above Please upgrade to FortiProxy version 2.0.14 or above Fortinet in Q3/23 has remediated this issue in FortiSASE version 23.3.b and hence the customers need not perform any action. Virtual Patch named "FortiOS.Captive.Portal.Out.Of.Bounds.Write." is available in FMWP db update 23.105 Acknowledgement Internally discovered and reported by Gwendal Guegniaud of Fortinet Product Security Team. Timeline 2024-02-27: Initial publication _____________________________________________________________________ FortiOS & FortiProxy – Authorization bypass in SSLVPN bookmarks IR Number : FG-IR-24-013 Date : Mar 12, 2024 Component : SSL-VPN Severity : High CVSSv3 Score : 7.2 Impact : Improper access control CVE ID : CVE-2024-23112 Summary An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS and FortiProxy SSLVPN may allow an authenticated attacker to gain access to another user’s bookmark via URL manipulation. Version | Affected | Solution FortiOS 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above FortiOS 7.0 | 7.0.1 through 7.0.13 | Upgrade to 7.0.14 or above FortiOS 6.4 | 6.4.7 through 6.4.14 | Upgrade to 6.4.15 or above FortiProxy 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above FortiProxy 7.2 | 7.2.0 through 7.2.8 | Upgrade to 7.2.9 or above FortiProxy 7.0 | 7.0.0 through 7.0.14 | Upgrade to 7.0.15 or above Follow the recommended upgrade path using our tool at: https:// docs.fortinet.com/upgrade-tool Workaround: Disable SSL VPN web mode. Acknowledgement Internally discovered and reported by Kai Ni from Burnaby InfoSec team. _____________________________________________________________________ FortiOS - Improper authentication following read-only user login IR Number : FG-IR-23-424 Date : Mar 12, 2024 Severity : Medium CVSSv3 Score : 6.7 Impact : Escalation of privilege CVE ID : CVE-2023-46717 Summary An improper authentication vulnerability [CWE-287] in FortiOS when configured with FortiAuthenticator in HA may allow an authenticated attacker with at least read-only permission to gain read-write access via successive login attempts. Affected Products FortiOS version 7.4.0 through 7.4.1 FortiOS version 7.2.0 through 7.2.6 FortiOS version 7.0.0 through 7.0.12 Solutions Please upgrade to FortiOS 7.4.2 or above Please upgrade to FortiOS 7.2.7 or above Please upgrade to ForitOS 7.0.13 or above Workaround- Disable push notifications for FortiAuthenticator: For RADIUS Authentication (From FortiAuthenticator)- ## RADIUS Service > Policies > (select policy) > Authentication Factors > Advanced Options > Allow FortiToken Mobile push notifications ( disable) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================