Fortinet has just released fixes to address a whopping 15 security flaws- including one critical vulnerability that impacts FortiOS and FortiProxy. This issue, CVE-2023-25610, is rated a 9.3 out of 10 for severity and was discovered by Fortinet's security teams.
A buffer underwrite ('buffer underflow') vulnerability in the FortiOS and FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests," Fortinet said in an advisory. Underflow bugs, also called buffer underruns, occur when the input data is shorter than the reserved space, causing unpredictable behavior or leakage of sensitive data from memory. Other possible consequences include memory corruption that could either be weaponized to induce a crash or execute arbitrary code.
Fortinet said it's not aware of any malicious exploitation attempts against the flaw. But given that prior flaws in software have come under active abuse in the wild, it's essential that users move quickly to apply the patches. The following versions of FortiOS and FortiProxy are impacted by the vulnerability - Fixes are available in FortiOS versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0; FortiOS-6K7K versions 6.2.13, 6.4.12, and 7.0.10; and FortiProxy versions 2.0.12, 7.0.9, and 7.0.9.