Fortinet Fortigate - Heap buffer overflow in sslvpn pre-authentication (FG-IR-23-097)

2023-06-1200:00:00

www.tenable.com

10 High

AI Score

Confidence

High

JSON

The version of Fortigate installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-23-097 advisory.

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. (CVE-2023-27997)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#TRUSTED 558ea8d05fc802886d975b2aaf4148b68105e0bc00290234b2dd4eb7cd23645155b741ba7c5823a0a2d097bbe7b08e2a7d1278815142db4aa029eb77c75cff2a19fe0761ea71e93f05cdf6616d72c70e12cbe8e572f8dae27e882520ca67769c5d4e4377ccd1f9732b769ed9487172b2827be74b080f1de177481684dd99666c55e8661aced2942ced85b5522ae6fd798f6fa725ab371686d2cc4b5e0ae23f0ac1d33cb533d47e4cadbe698e552dfab807f44ad1af25669160d603ad4ff1652f6060714428815680fbb1a8065445c48f41cdcb4f6108535417bdd5115f1673f3a5953e21d05a4b1b5a4a9fed3d58855b9f8c6049154d268b3b4f0156f825f91951d46aea091d744354cda938d30ddf5e8d1c6172dc9feec9647b69cbac2edd16593d9f46ec48024422c00d1b9e86606b7ddadccaab3e75441fbb422365ed3fe2db31cac0b99ef7c16f433a2cae538feb7ca39d78d2698d031388c487f8b656754e01670c908d8c8bdeac394da6bb52d35cf61a634f913c15acbe9366fe78017f3b90b72fb28cbf246e50d4274f3c17739e167ebe08554df8be455f96c525a070a4a30eb848d8acefc8aab529be955bc4a1f8517231265daf21fc0bc984c565aa0b7c2cc311030f69ac650b966bac16ae48068cc866b7dbb0c4b318c06c8d57dde4e4d7198a3fe80f2a0dfcf8d3b3bd7aa3b97b664d1ed2ac1e18da45d1ea6f0a
#TRUST-RSA-SHA256 2be98db155545705485336d0d9c7b049b4637efa39404cfd0e51eb1da4c6e1c2109a3a3f1dec2e86355ee455c48bb857bdaed3723cea18bce499e81bde05f9aa7a63d7b4d3c360905eb60e0f24d4b91cf1a28d7241bbc79259087ec3e82cec35c1d546efbc6d3d1230efb588b90d6f2435a0f54b4fcf2be5479f0fd8f5bcc0a72d334c3ffbf29b7019770e8c4996dde39e12eca11fda902889f720029bc24ddfd6c80da56b2c19041acf949813497e2fd31ec326d1ed9d5ad8a54c04ef29c5b742807799382b6bbb93b7b25405df53df9250bf6a8baf7746a79dc6394c4b1ae44bfe1e86ff10e7fed215fdacf2ea4d13e59b43ee011da50bf5ab37163aae82c47b741bc5eff11d678f07a6b0083868127cdb6b2670766b778ff821c4e926dbae1a6c0599fc9815e709206f2154afbdb21f47746adcd1b022e848a81d92916f2ae55db89d7552d255c815f4fc64d131d955364b62fd57de0e9b49139ba6cc7711f38c8f0407f701d598ea39ba498fb210135cee62dd191a58d9c5677e61528e51f9ed207aec95b898581cf76dac376b2cd966ed72fffbd46e290d0af19f721aed00761b67bd1a9695c6a89ab2d04705e24beb458cb6cd09b35c7ee51484c88aa8f0dc3eba964387b64261245f9fc976c00352f177977fb93f5b404b610a013f1a94fec2adb837c23a96bb65941778affc4519270d052bf7b2672c51c969965fc4
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(177116);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/18");

  script_cve_id("CVE-2023-27997");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/07/04");
  script_xref(name:"CEA-ID", value:"CEA-2023-0020");
  script_xref(name:"IAVA", value:"2023-A-0281-S");

  script_name(english:"Fortinet Fortigate - Heap buffer overflow in sslvpn pre-authentication (FG-IR-23-097)");

  script_set_attribute(attribute:"synopsis", value:
"Fortinet Firewall is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The version of Fortigate installed on the remote host is prior to tested version. It is, therefore, affected by a
vulnerability as referenced in the FG-IR-23-097 advisory.

  - A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote
    attacker to execute arbitrary code or commands via specifically crafted requests. (CVE-2023-27997)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.fortiguard.com/psirt/FG-IR-23-097");
  script_set_attribute(attribute:"solution", value:
"Please upgrade to FortiOS-6K7K version 7.0.12 or above
Please upgrade to FortiOS-6K7K version 6.4.13 or above
Please upgrade to FortiOS-6K7K version 6.2.15 or above
Please upgrade to FortiOS-6K7K version 6.0.17 or above
Please upgrade to FortiProxy version 7.2.4 or above
Please upgrade to FortiProxy version 7.0.10 or above
Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.5 or above
Please upgrade to FortiOS version 7.0.12 or above
Please upgrade to FortiOS version 6.4.13 or above
Please upgrade to FortiOS version 6.2.14 or above
Please upgrade to FortiOS version 6.0.17 or above
Alternatively, apply one of the workarounds outlined in the linked advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-27997");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/06/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/06/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:fortinet:fortiproxy");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("fortinet_version.nbin");
  script_require_keys("Host/Fortigate/model", "Host/Fortigate/version");

  exit(0);
}

include('vcf_extras_fortios.inc');

var app_name = 'Fortigate';
var app_info = vcf::get_app_info(app:app_name, kb_ver:'Host/Fortigate/version');
vcf::fortios::verify_product_and_model(product_name:app_name);

var constraints = [
  { 'min_version' : '6.0.0', 'max_version' : '6.0.16', 'fixed_version' : '6.0.17' },
  { 'min_version' : '6.2.0', 'max_version' : '6.2.13', 'fixed_version' : '6.2.14' },
  { 'min_version' : '6.4.0', 'max_version' : '6.4.12', 'fixed_version' : '6.4.13' },
  { 'min_version' : '7.0.0', 'max_version' : '7.0.11', 'fixed_version' : '7.0.12' },
  { 'min_version' : '7.2.0', 'max_version' : '7.2.4', 'fixed_version' : '7.2.5' }
];

# diagnose sys top <Delay_in_seconds> <Maximum_lines_to_display> <Iterations_to_run>
# We want to make sure we see all processes and only display it once
# If sslvpnd is not running, host is not currently vulnerable
var workarounds = [{config_command:'diagnose sys top 1 200 1', config_value:'sslvpnd', misc_cmd:TRUE}];

vcf::fortios::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  workarounds:workarounds,
  show_check:'Run Time:',
  not_equal:TRUE,
  severity:SECURITY_HOLE
);

VendorProductVersionCPE
fortinetfortiproxycpe:/a:fortinet:fortiproxy

Vendor	Product	Version	CPE
fortinet	fortiproxy		cpe:/a:fortinet:fortiproxy

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27997

www.fortiguard.com/psirt/FG-IR-23-097

10 High

AI Score

Confidence

High

JSON

Related for FORTIGATE_FG-IR-23-097.NASL