13 July 2023 [NO.TCSA : 20230713-1-1-P]
A critical severity flaw has been identified in Fortinet’s FortiOS and FortiProxy devices, designated as CVE-2023-33308. This vulnerability allows a remote attacker to execute arbitrary code on vulnerable devices. The flaw has received a CVSSv3 rating of 9.8 out of 10.0, rating it “critical.”
The vulnerability affects the following versions of Fortinet’s software:
Fortinet has clarified that the issue does not impact the latest release branch, FortiOS 7.4, or FortiOS products from the 6.0, 6.2, 6.4, 2.x, and 1.x release branches.
Fortinet has released patches to address this vulnerability. Users are strongly advised to update their systems to the following versions or above:
If updating is not immediately possible, Fortinet has provided a workaround by disabling HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.
Here is an example of a custom-deep-inspection profile that disabled HTTP/2 support:
config firewall ssl-ssh-profile edit "custom-deep-inspection" set supported-alpn http1-1 next end