Fortinet Family (FortiOS, FortiProxy, FortiClientLinux, FortiSandbox) Security Update Recommendations

Overview

 

We have released security updates to fix vulnerabilities in the Fortinet family of products. users of affected products are advised to update to the latest version.

 

Affected Products

 

CVE-2023-41677

• FortiOS versions 7.4.0 through 7.4.1
• FortiOS versions 7.2.0 through 7.2.6
• FortiOS versions 7.0.0 through 7.0.12
• FortiOS versions 6.4.0 through 6.4.14
• FortiOS 6.2.0 through 6.2.15
• All versions of FortiOS 6.0.x
• FortiProxy versions 7.4.0 through 7.4.1
• Versions of FortiProxy 7.2.0 through 7.2.7
• Versions of FortiProxy 7.0.0 through 7.0.13
• All versions of FortiProxy 2.0.x
• All versions of FortiProxy 1.2.x
• All versions of FortiProxy 1.1.x
• All versions of FortiProxy 1.0.x

 

CVE-2023-45590

• FortiClientLinux 7.2.0 versions
• Versions of FortiClientLinux 7.0.6 through 7.0.10
• FortiClientLinux versions 7.0.3 through 7.0.4

 

CVE-2024-23671

• FortiSandbox versions 4.4.0 through 4.4.3
• FortiSandbox versions 4.2.0 through 4.2.6
• FortiSandbox versions 4.0.0 through 4.0.6

 

Cve-2024-21755, cve-2024-21756

• FortiSandbox versions 4.4.0 through 4.4.3
• FortiSandbox versions 4.2.0 through 4.2.6
• FortiSandbox versions 4.0.0 through 4.0.4

 

Resolved Vulnerabilities

 

Vulnerability in FortiOS and FortiProxy due to insufficiently protected credentials that could allow administrator cookies to be obtained over SSL-VPN (CVE-2023-41677)

Arbitrary code execution vulnerability due to improper code injection vulnerability in FortiClientLinux (CVE-2023-45590)

Arbitrary file deletion vulnerability via HTTP request due to a directory path traversal vulnerability in FortiSandbox (CVE-2024-23671)

OS command vulnerability in FortiSandbox that could allow unauthorized command execution via crafted requests (CVE-2024-21755, CVE-2024-21756)

 

Vulnerability Patches

 

vulnerability Patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2023-41677

• Upgrade to at least 7.4.2 on FortiOS 7.4 versions
• FortiOS 7.2 versions to at least 7.2.7
• FortiOS 7.0 version to at least 7.0.13 or later
• Upgrade from a FortiOS 6.4 version to at least a 6.4.15 version
• Upgrade from FortiOS 6.2 to a version of 6.2.16 or later
• Upgrade from FortiProxy 7.4.0 to at least 7.4.2
• FortiProxy 7.2.0 version to at least 7.2.8 or later
• FortiProxy 7.0.0 version to at least 7.0.14 or later

 

CVE-2023-45590

• Upgrade to at least 7.2.1 of FortiClientLinux 7.2 version
• Upgrade to at least 7.0.11 on FortiClientLinux 7.0 versions

 

CVE-2024-23671

• FortiSandbox 4.4 versions to at least 4.4.4
• FortiSandbox 4.2 versions to at least 4.2.7
• FortiSandbox 4.0 version to at least 4.0.5 or later

 

Cve-2024-21755, cve-2024-21756

• Upgrade to at least 4.4.4 on FortiSandbox 4.4 versions
• FortiSandbox 4.2 version to at least 4.2.7 or later
• FortiSandbox 4.0 versions to at least 4.0.5 or later

 

Referenced Sites

 

[1] FortiOS & FortiProxy – administrator cookie leakage

https://www.fortiguard.com/psirt/FG-IR-23-493

[2] [FortiClient Linux] Remote Code Execution due to dangerous ELECTRONJS configuration

https://www.fortiguard.com/psirt/FG-IR-23-087

[3] FortiSandbox – Arbitrary file delete on endpoint

https://www.fortiguard.com/psirt/FG-IR-23-454

[4] FortiSandbox – OS command injection on endpoint

https://www.fortiguard.com/psirt/FG-IR-23-489