{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-028.pdf"
    },
    "title": "Vulnerabilities in Fortinet Products",
    "serial_number": "2024-028",
    "publish_date": "14-03-2024 16:49:32",
    "description": "On March 12, 2024, Fortinet released fixes for three vulnerabilities affecting some of their products. The vulnerabilities could allow an unauthenticated attacker to execute unauthorised code or commands via specifically crafted requests.<br>\nIt is recommended upgrading affected software as soon as possible.<br>\n",
    "url_title": "2024-028",
    "content_markdown": "---\ntitle: 'Vulnerabilities in Fortinet Products'\nnumber: '2024-028'\nversion: '1.0'\noriginal_date: 'March 12, 2024'\ndate: 'March 14, 2024'\n---\n\n_History:_\n\n* _14/03/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn March 12, 2024, Fortinet released fixes for three vulnerabilities affecting some of their products. The vulnerabilities could allow an unauthenticated attacker to execute unauthorised code or commands via specifically crafted requests.\n\nIt is recommended upgrading affected software as soon as possible.\n\n# Technical Details\n\nThe vulnerability `CVE-2023-48788` (CVSS score: 9.3) is an SQL injection in the DB2 Administration Server (DAS) component. It impacts FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2), and it allows unauthenticated attackers to gain RCE with SYSTEM privileges on unpatched servers in low-complexity attacks that don't require user interaction [1].\n\nThe vulnerability `CVE-2023-42789`  (CVSS score: 9.3) in the FortiOS and FortiProxy is a an out-of-bounds write vulnerability that could let an unauthenticated _inside attacker_ (who has access to captive portal) remotely execute unauthorised code or commands on unpatched using maliciously crafted HTTP requests [2].\n\nThe vulnerability `CVE-2023-42790`  (CVSS score: 9.3) in the FortiOS and FortiProxy is a stack-based buffer overflow that allows an unauthenticated _inside attacker_ (who has access to captive portal) to execute arbitrary code or commands via specially crafted HTTP requests.\n\n# Affected Products\n\nFor the `CVE-2023-48788` :\n\n- FortiClientEMS 7.2.0 through 7.2.2\n- FortiClientEMS 7.0.1 through 7.0.10\n\nFor the `CVE-2023-42789` and `CVE-2023-42790` : \n\n- FortiOS version 7.4.0 through 7.4.1\n- FortiOS version 7.2.0 through 7.2.5\n- FortiOS version 7.0.0 through 7.0.12\n- FortiOS version 6.4.0 through 6.4.14\n- FortiOS version 6.2.0 through 6.2.15\n- FortiProxy version 7.4.0\n- FortiProxy version 7.2.0 through 7.2.6\n- FortiProxy version 7.0.0 through 7.0.12\n- FortiProxy version 2.0.0 through 2.0.13\n\n# Recommendations\n\nFor the `CVE-2023-48788` :\n\n- Upgrade to FortiClientEMS to 7.2.3 or ab\nove \n- Upgrade to FortiClientEMS to 7.0.11 or above \n\nFor the `CVE-2023-42789` and `CVE-2023-42790` : \n\n- Upgrade to FortiOS version 7.4.2 or above\n- Upgrade to FortiOS version 7.2.6 or above\n- Upgrade to FortiOS version 7.0.13 or above\n- Upgrade to FortiOS version 6.4.15 or above\n- Upgrade to FortiOS version 6.2.16 or above\n- Upgrade to FortiProxy version 7.4.1 or above\n- Upgrade to FortiProxy version 7.2.7 or above\n- Upgrade to FortiProxy version 7.0.13 or above\n- Upgrade to FortiProxy version 2.0.14 or above\n\n## Workarounds\n\nFor the second and third vulnerability `CVE-2023-42789` and `CVE-2023-42790`, a workaround is possible by setting a non-form-based authentication scheme :\n\n```\nconfig authentication scheme\nedit scheme\nset method <method>\nnext\nend\n```\n\nWhere the variable <method> could be any of those settings : \n\n```\n- ntlm NTLM authentication.\n- basic Basic HTTP authentication.\n- digest Digest HTTP authentication.\n- negotiate Negotiate authentication.\n- fsso Fortinet Single Sign-On (FSSO) authentication.\n- rsso RADIUS Single Sign-On (RSSO) authentication.\n- ssh-publickey Public key based SSH authentication.\n- cert Client certificate authentication.\n- saml SAML authentication\n```\n\n\nCERT-EU strongly recommends updating affected software to the latest versions by following the instructions given by the vendor [1].\n\n# References\n\n[1] <https://fortiguard.fortinet.com/psirt/FG-IR-24-007>\n\n[2] <https://www.fortiguard.com/psirt/FG-IR-23-328>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>14/03/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 12, 2024, Fortinet released fixes for three vulnerabilities affecting some of their products. The vulnerabilities could allow an unauthenticated attacker to execute unauthorised code or commands via specifically crafted requests.</p><p>It is recommended upgrading affected software as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <code>CVE-2023-48788</code> (CVSS score: 9.3) is an SQL injection in the DB2 Administration Server (DAS) component. It impacts FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2), and it allows unauthenticated attackers to gain RCE with SYSTEM privileges on unpatched servers in low-complexity attacks that don't require user interaction [1].</p><p>The vulnerability <code>CVE-2023-42789</code> (CVSS score: 9.3) in the FortiOS and FortiProxy is a an out-of-bounds write vulnerability that could let an unauthenticated <em>inside attacker</em> (who has access to captive portal) remotely execute unauthorised code or commands on unpatched using maliciously crafted HTTP requests [2].</p><p>The vulnerability <code>CVE-2023-42790</code> (CVSS score: 9.3) in the FortiOS and FortiProxy is a stack-based buffer overflow that allows an unauthenticated <em>inside attacker</em> (who has access to captive portal) to execute arbitrary code or commands via specially crafted HTTP requests.</p><h2 id=\"affected-products\">Affected Products</h2><p>For the <code>CVE-2023-48788</code> :</p><ul><li>FortiClientEMS 7.2.0 through 7.2.2</li><li>FortiClientEMS 7.0.1 through 7.0.10</li></ul><p>For the <code>CVE-2023-42789</code> and <code>CVE-2023-42790</code> : </p><ul><li>FortiOS version 7.4.0 through 7.4.1</li><li>FortiOS version 7.2.0 through 7.2.5</li><li>FortiOS version 7.0.0 through 7.0.12</li><li>FortiOS version 6.4.0 through 6.4.14</li><li>FortiOS version 6.2.0 through 6.2.15</li><li>FortiProxy version 7.4.0</li><li>FortiProxy version 7.2.0 through 7.2.6</li><li>FortiProxy version 7.0.0 through 7.0.12</li><li>FortiProxy version 2.0.0 through 2.0.13</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>For the <code>CVE-2023-48788</code> :</p><ul><li>Upgrade to FortiClientEMS to 7.2.3 or ab ove </li><li>Upgrade to FortiClientEMS to 7.0.11 or above </li></ul><p>For the <code>CVE-2023-42789</code> and <code>CVE-2023-42790</code> : </p><ul><li>Upgrade to FortiOS version 7.4.2 or above</li><li>Upgrade to FortiOS version 7.2.6 or above</li><li>Upgrade to FortiOS version 7.0.13 or above</li><li>Upgrade to FortiOS version 6.4.15 or above</li><li>Upgrade to FortiOS version 6.2.16 or above</li><li>Upgrade to FortiProxy version 7.4.1 or above</li><li>Upgrade to FortiProxy version 7.2.7 or above</li><li>Upgrade to FortiProxy version 7.0.13 or above</li><li>Upgrade to FortiProxy version 2.0.14 or above</li></ul><h3 id=\"workarounds\">Workarounds</h3><p>For the second and third vulnerability <code>CVE-2023-42789</code> and <code>CVE-2023-42790</code>, a workaround is possible by setting a non-form-based authentication scheme :</p><pre><code>config authentication scheme\nedit scheme\nset method &lt;method&gt;\nnext\nend\n</code></pre><p>Where the variable <method> could be any of those settings : </p><pre><code>- ntlm NTLM authentication.\n- basic Basic HTTP authentication.\n- digest Digest HTTP authentication.\n- negotiate Negotiate authentication.\n- fsso Fortinet Single Sign-On (FSSO) authentication.\n- rsso RADIUS Single Sign-On (RSSO) authentication.\n- ssh-publickey Public key based SSH authentication.\n- cert Client certificate authentication.\n- saml SAML authentication\n</code></pre><p>CERT-EU strongly recommends updating affected software to the latest versions by following the instructions given by the vendor [1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://fortiguard.fortinet.com/psirt/FG-IR-24-007\">https://fortiguard.fortinet.com/psirt/FG-IR-24-007</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-23-328\">https://www.fortiguard.com/psirt/FG-IR-23-328</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}