Fortigate Critical Vulnerability Disclosure - Mar 2023 - Oops I did it again
Well, it's only a couple of months since the last one. Another Critical Fortigate vulnerability.
Fortigate have just released the following FortiOS / FortiProxy - Heap buffer underflow in administrative interface; PSIRT Advisories | FortiGuard
It has a CVSSv3 of 9.3, so it's another doozy.
Of course we know that we shouldn't have FW admin interfaces facing the internet, but Shodan has over 300,000 devices lists.
At least this time it was discovered internally and there is no evidence of the issue being exploited in the wild. The mitigations involve local-in policies. Now these may be familiar to regular Fortigate users, but they are not your normal security policy. They are specific rules that are applied to traffic destined to the device itself.
The safest way forward is to update to the latest versions:
Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.10 or above
Please upgrade to FortiOS version 6.4.12 or above
Please upgrade to FortiOS version 6.2.13 or above