Fortinet Vulnerabilities
FortiClient Vulnerabilities
FortiClient (Windows) – Arbitrary file deletion from unprivileged users (CVE-2022-40681)
An incorrect authorization [CWE-863] vulnerability in FortiClient (Windows) may allow a local low privileged attacker to perform arbitrary file deletion in the device filesystem.
Affected
FortiClientWindows 7.0.0 through 7.0.7
FortiClientWindows 6.4.0 through 6.4.8
FortiClientWindows 6.2 all versions
FortiClientWindows 6.0 all versions
Solution
Upgrade to 7.2.0 or above
Upgrade to 7.0.8 or above
Upgrade to 6.4.9 or above
FortiClient (Windows) – DLL Hijacking via openssl.cnf (CVE-2023-41840)
An untrusted search path vulnerability [CWE-426] in FortiClient Windows OpenSSL component may allow an attacker to perform a DLL Hijack attack via a malicious OpenSSL engine library in the search path.
Affected
FortiClientWindows 7.2.0 through 7.2.1
FortiClientWindows 7.0.9
Solution
Upgrade to 7.2.2 or above
Upgrade to 7.0.10 or above
FortiClient for Windows – Hardcoded credentials in vcm2.exe (CVE-2023-33304)
A use of hard-coded credentials vulnerability [CWE-798] in FortiClient for Windows may allow an attacker to bypass system protections via the use of static credentials.
Affected
FortiClientWindows 7.2.0 through 7.2.1
FortiClientWindows 7.0.0 through 7.0.9
Solution
Upgrade to 7.2.2 or above
Upgrade to 7.0.10 or above
TunnelCrack VPN vulnerabilities (CVE-2023-36671)
Fortinet is aware of a research article named TunnelCrack, published at Usenix [1], which describe the LocalNet and ServerIP attacks. These attacks aim to leak VPN client traffic outside of the protected VPN tunnel when clients connect via untrusted networks, such as rogue Wi-Fi access points. The LocalNet attack allows an attacker to force the usage of local network access features of the VPN to access unencrypted traffic. The ServerIP attack allows an attacker to intercept traffic sent to a spoofed VPN gateway via DNS spoofing attacks. These attacks do not enable the attacker to decrypt the encrypted traffic but rather will try to redirect the traffic through attacker controlled channels before the traffic is encrypted by the VPN.
Affected
None if properly configured: When connecting via an untrusted network, a VPN client should be configured according to recommendations for safety, and/or use secure communication protocols such as SSH/HTTPS that will prevent any spoofing attack. See solutions below.
Solution
Detail information is to be found on FortiGuard.
More vulnerabilities in Fortinet Products
curl and libcurl CVE-2023-38545 and CVE-2023-38546 vulnerabilities (CVE-2023-38545)
CVE-2023-3854: severity HIGH (affects both libcurl and the curl tool) A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to “let the host resolve the name” could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior.
CVE-2023-38546: severity LOW (affects libcurl only, not the tool) A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met.
Affected
FortiGate (Only FGT_VM64 model is impacted and authentication is required) FGT_VM64 version 7.4.0 through 7.4.1 FGT_VM64 version 7.2.0 through 7.2.6 FGT_VM64 version 7.0.1 through 7.0.13
Solution
Please upgrade to upcoming FGT_VM64 version 7.4.2 or above Please upgrade to upcoming FGT_VM64 version 7.2.7 or above
FortiEDRCollector (Windows) – Protection may be disabled by local attacker (CVE-2023-44248)
An improper access control vulnerabilty [CWE-284] in FortiEDRCollectorWindows may allow a local attacker to prevent the collector service to start in the next system reboot by tampering with some registry keys of the service.
Affected
FortiEDRCollectorWindows version 5.2.0.4549 and below
FortiEDRCollectorWindows 5.0.3.1007 and below
FortiEDRCollectorWindows 4.0 all versions
Solution
Upgrade to FortiEDRCollectorWindows version 5.2.0.4581 or above
Upgrade to FortiEDRCollectorWindows version 5.0.3.1016 or above
FortiMail – Login mechanism without rate limitation (CVE-2023-45582)
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail may allow an unauthenticated attacker to perform a brute force attack on the affected endpoints via repeated login attempts.
Affected
FortiMail 7.4.0
FortiMail 7.2.0 through 7.2.4
FortiMail 7.0.0 through 7.0.6
FortiMail 6.4.0 through 6.4.8
FortiMail 6.2 all versions
Solution
Upgrade to 7.4.1 or above
Upgrade to 7.2.5 or above
Upgrade to 7.0.7 or above
Upgrade to 6.4.9 or above
FortiMail – User can see and modify address book folders title of other users (CVE-2023-36633)
An improper authorization vulnerability [CWE-285] in FortiMail webmail may allow an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests.
Affected
FortiMail 7.2.0 through 7.2.2
FortiMail 7.0.0 through 7.0.5
FortiMail 6.4 all versions
FortiMail 6.2 all versions
FortiMail 6.0 all versions
Solution
Upgrade to 7.4.0 or above
Upgrade to 7.2.3 or above
Upgrade to 7.0.7 or above
FortiManager & FortiAnalyzer – Use of hardcoded credentials in fmgsvrd (CVE-2023-40719)
A use of hard-coded credentials [CWE-798] in FortiManager and FortiAnalyzer may allow an attacker to access Fortinet dummy testing data via the use of static credentials. Those credentials have been revoked.
Affected
FortiAnalyzer 7.4.0
FortiAnalyzer 7.2.0 through 7.2.3
FortiAnalyzer 7.0 all versions
FortiManager 7.4.0
FortiManager 7.2.0 through 7.2.3
FortiManager 7.0 all versions
Solution
Upgrade to 7.4.1 or above
Upgrade to 7.2.4 or above
FortiOS & FortiProxy – DOS in headers management (CVE-2023-36641)
A null pointer dereference [CWE-476] in FortiOS and FortiProxy SSL VPN may allow an authenticated attacker to perform a DoS attack on the device via specifically crafted HTTP requests.
Affected
FortiOS 7.4.0
FortiOS 7.2.0 through 7.2.5
FortiOS 7.0.0 through 7.0.12
FortiOS 6.4 all versions
FortiOS 6.2 all versions
FortiOS 6.0 all versions
FortiProxy 7.2.0 through 7.2.4
FortiProxy 7.0.0 through 7.0.10
FortiProxy 2.0 all versions
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions
Solution
FortiOS:
Upgrade to 7.4.1 or above
Upgrade to 7.2.6 or above
Upgrade to 7.0.13 or above
FortiProxy
Upgrade to 7.2.5 or above
Upgrade to 7.0.11 or above
FortiOS & FortiProxy VM – Bypass of root file system integrity checks at boot time on VM (CVE-2023-28002)
An improper validation of integrity check value vulnerability [CWE-354] in FortiOS and FortiProxy VMs may allow a local attacker with admin privileges to boot a malicious image on the device and bypass the filesytem integrity check in place.
Affected
FortiOS 7.2.0 through 7.2.3
FortiOS 7.0.0 through 7.0.12
FortiOS 6.4 all versions
FortiOS 6.2 all versions
FortiOS 6.0 all versions
FortiProxy 7.2 all versions
FortiProxy 7.0 all versions
FortiProxy 2.0 all versions
Solution
Upgrade to 7.4.0 or above
Upgrade to 7.2.4 or above
Upgrade to 7.0.13 or above
