Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

PUBLISHED:
13 July 2023

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

A critical severity flaw has been identified in Fortinet’s FortiOS and FortiProxy devices, designated as CVE-2023-33308. This vulnerability allows a remote attacker to execute arbitrary code on vulnerable devices. The flaw has received a CVSSv3 rating of 9.8 out of 10.0, rating it “critical.”

Affected Version

The vulnerability affects the following versions of Fortinet’s software:

• FortiOS version 7.2.0 through 7.2.3
• FortiOS version 7.0.0 through 7.0.10
• FortiProxy version 7.2.0 through 7.2.2
• FortiProxy version 7.0.0 through 7.0.9

Fortinet has clarified that the issue does not impact the latest release branch, FortiOS 7.4, or FortiOS products from the 6.0, 6.2, 6.4, 2.x, and 1.x release branches.

Mitigation

Fortinet has released patches to address this vulnerability. Users are strongly advised to update their systems to the following versions or above:

• FortiOS version 7.2.4
• FortiOS version 7.0.11
• FortiProxy version 7.2.3
• FortiProxy version 7.0.10

If updating is not immediately possible, Fortinet has provided a workaround by disabling HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.

Here is an example of a custom-deep-inspection profile that disabled HTTP/2 support:

 
config firewall ssl-ssh-profile 
   edit "custom-deep-inspection" 
      set supported-alpn http1-1 
   next 
end 

More Information

• Fortinet Advisory – https://www.fortiguard.com/psirt/FG-IR-23-183