On July 11th, 2023, Fortinet published a security advisory detailing a remote code execution vulnerability affecting FortiOS and FortiProxy (CVE-2023-33308). This stack-based overflow vulnerability affects proxy policies and/or firewall policies with proxy mode and SSL deep packet inspection enabled. This CVE was discovered and responsibly disclosed to Fortinet by security researchers. At this time, exploitation has not been observed in the wild, and a proof of concept (PoC) exploit has not been published publicly.
As demonstrated in CISA’s Known Exploited Vulnerabilities Catalog, threat actors have actively exploited Fortinet vulnerabilities in the past. Due to the severity of the vulnerability and the fact that similar vulnerabilities have been weaponized by threat actors, Arctic Wolf strongly recommends upgrading to the latest available versions of FortiOS and FortiProxy on all affected devices.
Products | Vulnerable Versions | Patched versions |
FortiOS | 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.10, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 |
· FortiOS version 7.4.0 or above · FortiOS version 7.2.4 or above · FortiOS version 7.0.11 or above |
FortiProxy | 7.2.2, 7.2.1, 7.2.0, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 |
· FortiProxy version 7.2.3 or above · FortiProxy version 7.0.10 or above |
Recommendations for CVE-2023-33308
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
Recommendation #1: Upgrade to the Most Recent Version Release
Arctic Wolf strongly recommends updating to one of the following versions outlined in the table below to remediate the newly discovered vulnerability.
Products | Vulnerable Versions | Patched versions |
FortiOS | 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.10, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 |
· FortiOS version 7.4.0 or above · FortiOS version 7.2.4 or above · FortiOS version 7.0.11 or above |
FortiProxy | 7.2.2, 7.2.1, 7.2.0, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 |
· FortiProxy version 7.2.3 or above · FortiProxy version 7.0.10 or above |
Workaround: Disable HTTP/2 support on SSL Inspection Profiles
If you are unable to upgrade to the versions above, Fortinet recommends in their advisory to disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode, to mitigate the vulnerability.
Fortinet’s example with custom-deep-inspection profile:
1config firewall ssl-ssh-profile
2edit "custom-deep-inspection"
3set supported-alpn http1-1
4next
5end