Security Advisory

Fortinet Family (FortiOS, FortiProxy) Security Update Recommendations

  • Mar 18 2024

Overview

 

An update has been made available to fix vulnerabilities in the Fortinet family of products. users of affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-23112

  • FortiOS versions 7.4.0 through 7.4.1
  • FortiOS 7.2.0 through 7.2.6 Versions
  • FortiOS 7.0.1 through 7.0.13 Versions
  • FortiOS 6.4.7 through 6.4.14 versions
  • FortiProxy 7.4.0 through 7.4.2 versions
  • FortiProxy 7.2.0 through 7.2.8 versions
  • FortiProxy 7.0.0 through 7.0.14 versions

 

Cve-2023-42789, cve-2023-42790

  • FortiOS 7.4.0 through 7.4.1 versions
  • FortiOS 7.2.0 through 7.2.5 Versions
  • FortiOS 7.0.0 through 7.0.13
  • FortiOS 6.4.0 through 6.4.14 Versions
  • FortiOS 6.2.0 through 6.2.15
  • FortiProxy 7.4.0 versions
  • FortiProxy versions 7.2.0 through 7.2.6
  • FortiProxy 7.0.0 through 7.0.12 versions
  • FortiProxy 2.0.0 through 2.0.13 versions

 

Resolved Vulnerabilities

 

Authentication bypass via user control key vulnerability in FortiOS and FortiProxy SSLVPN, which could allow an authenticated attacker to access another user’s bookmarks via URL manipulation (CVE-2024-23112)

Vulnerability in FortiOS and FortiProxy captive portal due to a stack-based buffer overflow that could allow an attacker to execute unauthorized code or commands via crafted HTTP requests (CVE-2023-42789, CVE-2023-42790)

 

Vulnerability Patches

 

CVE-2024-23112

  • FortiOS 7.4.2 and at least 7.4.x versions
  • 7.2.x versions of FortiOS 7.2.7 and at least 7.2.x
  • FortiOS 7.0.x versions at least 7.0.14
  • FortiOS 6.4.x version at least 6.4.15
  • FortiProxy 7.4.x version at least 7.4.3
  • FortiProxy 7.2.x version at least 7.2.9
  • FortiProxy 7.0.x version at least 7.0.15

 

Cve-2023-42789, cve-2023-42790

  • FortiOS 7.4.x versions at least 7.4.2 and later
  • FortiOS 7.2.x versions at least 7.2.6 and later
  • FortiOS 7.0.x versions at least 7.0.13
  • FortiOS 6.4.x version at least 6.4.15
  • 6.2.x versions of FortiOS 6.2.16 and at least 6.2.x
  • FortiProxy 7.4.x version at least 7.4.1
  • FortiProxy 7.2.x version at least 7.2.7
  • 7.0.x versions of FortiProxy 7.0.13 or later
  • FortiProxy 2.0.x version at least 2.0.14

 

Referenced Sites

 

[1] FortiOS & FortiProxy – Authorization bypass in SSLVPN bookmarks

https://www.fortiguard.com/psirt/FG-IR-24-013

[2] FortiOS & FortiProxy – Out-of-bounds Write in captive portal

https://www.fortiguard.com/psirt/FG-IR-23-328

[3] CVE-2023-42789

fortiOS & FortiProxy – Out-of-bounds Write in captive portal https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42789

[4] cve-2023-42790

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42790

Tags:

Previous Post

Next Post