CVE-2023-25610: FortiOS / FortiProxy - Heap buffer underflow in administrative interface

Summary

Before a schedule is ready for patching the FortiGate Firewalls, go to limit IP addresses that can reach the administrative interface first.

How-to

config firewall address
edit "WorkPC01"
set subnet 192.168.0.100 255.255.255.255
next
edit "WorkPC02"
set subnet 192.168.0.101 255.255.255.255
next

 

config firewall addrgrp
edit "MGMT_IPs"
set member "WorkPC01" "WorkPC02"
end

 

 

If using non-default ports 

config firewall service custom
edit MGMT_GUI_HTTPS
set tcp-portrange 8080
next
end

 

 

config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end

 

 

 

References

https://www.fortiguard.com/psirt/FG-IR-23-001 

 

https://www.wiz.io/blog/cve-2023-25610

 

Update