FG-IR-23-328: Out-of-bounds Write in captive portal
First published: Tue Mar 12 2024(Updated: )
An out-of-bounds write vulnerability [CWE-787] and a Stack-based Buffer Overflow [CWE-121] in FortiOS & FortiProxy captive portal may allow an inside attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests. Workaround: Set a non form-based authentication scheme: config authentication schemeedit schemeset method methodnextend Where <method> can be any of those : ntlm NTLM authentication.basic Basic HTTP authentication.digest Digest HTTP authentication.negotiate Negotiate authentication.fsso Fortinet Single Sign-On (FSSO) authentication.rsso RADIUS Single Sign-On (RSSO) authentication.ssh-publickey Public key based SSH authentication.cert Client certificate authentication.saml SAML authentication None of the enabled authentication schemes should be form-based. Please note that only devices with captive portal enabled are affected.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiOS IPS Engine | ||
| Fortinet FortiProxy | ||
| Fortinet FortiOS IPS Engine | >=7.4.0<=7.4.1 | |
| Fortinet FortiOS IPS Engine | >=7.2.0<=7.2.5 | |
| Fortinet FortiOS IPS Engine | >=7.0.0<=7.0.12 | |
| Fortinet FortiOS IPS Engine | >=6.4.0<=6.4.14 | |
| Fortinet FortiOS IPS Engine | >=6.2.0<=6.2.15 | |
| Fortinet FortiProxy | =. | |
| Fortinet FortiProxy | >=7.2.0<=7.2.6 | |
| Fortinet FortiProxy | >=7.0.0<=7.0.12 | |
| Fortinet FortiProxy | >=2.0.0<=2.0.13 | |
| Fortinet FortiSASE | =3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of FG-IR-23-328?
FG-IR-23-328 has been classified as a critical vulnerability due to the potential for arbitrary code execution.
How do I fix FG-IR-23-328?
To fix FG-IR-23-328, update FortiOS or FortiProxy to the latest versions as specified in the advisory.
Who is affected by FG-IR-23-328?
FortiOS and FortiProxy users with versions vulnerable to FG-IR-23-328 are at risk.
What are the implications of FG-IR-23-328 if exploited?
If exploited, FG-IR-23-328 could allow an attacker to execute arbitrary commands on the affected devices.
Is there a workaround for FG-IR-23-328?
Currently, there is no specific workaround mentioned for FG-IR-23-328; updating to a patched version is advised.
- agent/last-modified-date
- agent/first-publish-date
- agent/type
- agent/severity
- agent/references
- agent/weakness
- agent/title
- agent/source
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2023-42789
- agent/event
- agent/description
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/fortiguard-psirt
- alias/CVE-2023-42790
- vendor/fortinet
- canonical/fortinet fortios ips engine
- canonical/fortinet fortiproxy
- version/fortinet fortios ips engine/7.4.0
- version/fortinet fortios ips engine/7.4.1
- version/fortinet fortios ips engine/7.2.0
- version/fortinet fortios ips engine/7.2.5
- version/fortinet fortios ips engine/7.0.0
- version/fortinet fortios ips engine/7.0.12
- version/fortinet fortios ips engine/6.4.0
- version/fortinet fortios ips engine/6.4.14
- version/fortinet fortios ips engine/6.2.0
- version/fortinet fortios ips engine/6.2.15
- version/fortinet fortiproxy/.
- version/fortinet fortiproxy/7.2.0
- version/fortinet fortiproxy/7.2.6
- version/fortinet fortiproxy/7.0.0
- version/fortinet fortiproxy/7.0.12
- version/fortinet fortiproxy/2.0.0
- version/fortinet fortiproxy/2.0.13
- canonical/fortinet fortisase
- version/fortinet fortisase/3