SB2024031818 - Multiple vulnerabilities in Fortigate NGFW on Siemens RUGGEDCOM APE1808 devices
Published: March 18, 2024 Updated: November 15, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 38 secuirty vulnerabilities.
1) Infinite loop (CVE-ID: CVE-2023-33305)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in firmware upgrade function. A remote privileges user can consume all available system resources and cause denial of service conditions via a specially crafted firmware image.
2) Improper Certificate Validation (CVE-ID: CVE-2023-29175)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper certificate validation when connecting to a remote FortiGuard's map server. A remote attacker can perform MitM attack and access or alter sensitive data.
3) Access of Uninitialized Pointer (CVE-ID: CVE-2023-29178)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to access to an uninitialized pointer within the administrative API interface. A remote user repeatedly send crafted HTTP or HTTPS requests to the API to crash the httpsd process.
4) NULL pointer dereference (CVE-ID: CVE-2023-29179)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote user can send a specially crafted HTTP request to the /proxy endpoint and crash the SSL-VPN daemon.
5) NULL pointer dereference (CVE-ID: CVE-2023-29180)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote non-authenticated attacker can send a specially crafted HTTP request to the /proxy endpoint and crash the SSL-VPN daemon.
6) Format string error (CVE-ID: CVE-2023-29181)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a format string error in the Fclicense daemon. A remote user can send specially crafted requests to the daemon that contains format string specifiers and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Stored cross-site scripting (CVE-ID: CVE-2023-29183)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via guest management setting. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
8) Improper access control (CVE-ID: CVE-2023-33301)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the FortiOS REST API component. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
9) NULL pointer dereference (CVE-ID: CVE-2023-33306)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in SSL-VPN. A remote user can send a specially crafted request and perform a denial of service (DoS) attack.
10) Insufficient Session Expiration (CVE-ID: CVE-2023-28001)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue in FortiOS REST API, which results in a persistent websocket connection after deleting the API admin. A remote attacker can reuse the session of a deleted user and gain unauthorized access to the system.
Successful exploitation of the vulnerability requires knowledge of an API token.
11) NULL pointer dereference (CVE-ID: CVE-2023-33307)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in SSL-VPN. A remote user can send a specially crafted request and perform a denial of service (DoS) attack.
12) Reflected cross-site scripting (CVE-ID: CVE-2023-36555)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via the SAML and Security Fabric components. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
13) Format string error (CVE-ID: CVE-2023-36639)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a format string error in HTTPSd. A remote privileged user can send a specially crafted request that contains format string specifiers and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) NULL pointer dereference (CVE-ID: CVE-2023-36641)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when processing HTTP headers in SSL VPN. A remote user can send a specially crafted HTTP request to the system and perform a denial of service (DoS) attack.
15) Information disclosure (CVE-ID: CVE-2023-37935)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to authentication tokens are passed via HTTP GET parameters in plain text in the FortiOS SSL VPN component. A remote attacker with ability to access parameters of HTTP GET request (e.g. by accessing proxy logs) can gain access to sensitive information.
16) Interpretation Conflict (CVE-ID: CVE-2023-40718)
The vulnerability allows a remote attacker to bypass implemented security policies.
The vulnerability exists due to an interpretation conflict when handling custom TCP flags. A remote attacker can send specially crafted TCP packets to evade NGFW policies or IPS Engine protection.
17) Use-after-free (CVE-ID: CVE-2023-41675)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the Web proxy process. A remote non-authenticated attacker can send multiple specially crafted packets to the device and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that SSL deep packet inspection is enabled.
18) Improper Authorization (CVE-ID: CVE-2023-41841)
The vulnerability allows a remote user to escalate privileges on the device.
The vulnerability exists due to improper authorization within the Web UI component. A remote authenticated user with the prof-admin profile can perform elevated actions on the device.
19) Improper validation of integrity check value (CVE-ID: CVE-2023-28002)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to improper validation of integrity check value in FortiOS and FortiProxy VMs. A local admin user can boot a malicious image on the device and bypass the filesytem integrity check in place.
20) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2023-26207)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files. A remote user can read certain SMTP passwords in plain text.
21) Cross-site scripting (CVE-ID: CVE-2022-41330)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in administrative interface. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
22) Buffer Underwrite ('Buffer Underflow') (CVE-ID: CVE-2023-25610)
The vulnerability allows a remote attacker to compromise the affected device.
The vulnerability exists due to a heap buffer underflow in the administrative interface. A remote non-authenticated attacker can send a specially crafted request to the administrative web interface of the affected device, trigger memory corruption and execute arbitrary code on the system.
23) Heap-based buffer overflow (CVE-ID: CVE-2023-27997)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the SSL-VPN feature. A remote non-authenticated attacker can send specially crafted requests to the SSL-VPN interface, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
24) Stack-based buffer overflow (CVE-ID: CVE-2023-33308)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing specially crafted packets. A remote unauthenticated attacker can send specially crafted packets to the device having proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
25) Improper Certificate Validation (CVE-ID: CVE-2022-39948)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper certificate validation when establishing secure connections with threat feed fabric connectors. A remote attacker can perform MitM attack on the communication channel between the affected device and remote servers hosting threat feeds.
26) Cleartext transmission of sensitive information (CVE-ID: CVE-2022-41327)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A local user with readonly superadmin privileges can intercept traffic in order to obtain other adminstrators cookies via diagnose CLI commands.
27) Path traversal (CVE-ID: CVE-2022-41328)
The vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing certain CLI command. A local user can read and write arbitrary files on the system.
Note, the vulnerability is being actively exploited in the wild.
28) Improper access control (CVE-ID: CVE-2022-41329)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted HTTP request and obtain sensitive logging information on the device.
29) Cross-site scripting (CVE-ID: CVE-2022-41334)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "redir" parameter of the Login page when the "Sign in with FortiCloud" button is clicked. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
30) Open redirect (CVE-ID: CVE-2023-22641)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in sslvpnd. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
31) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-42469)
The vulnerability allows a remote user to bypass implemented policy.
The vulnerability exists due to improperly imposed permissions in FortiGate Policy-based NGFW Mode. A remote SSL-VPN user can bypass the policy via bookmarks in the web portal.
32) Path traversal (CVE-ID: CVE-2022-42474)
The vulnerability allows a remote user to delete arbitrary directories on the system.
The vulnerability exists due to input validation error when processing directory traversal sequences within the administrative interface. A remote user can send a specially crafted HTTP request and delete arbitrary directories from the filesystem.
33) Path traversal (CVE-ID: CVE-2022-42476)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to input validation error when processing directory traversal sequences. A local privileged VDOM administrator can escalate their privileges to super admin of the box via crafted CLI requests.
34) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2022-43947)
The vulnerability allows a remote attacker to perform a brute-force attack.
The vulnerability exist due to improper restriction of excessive authentication attempts in administrative interface. A remote attacker with access to the administrative interface can perform a brute-force attack and gain unauthorized access to the system.
35) Format string error (CVE-ID: CVE-2022-43953)
The vulnerability allows a local user to escalate privileges on the device.
The vulnerability exists due to a format string error in fortiguard-resources CLI command. A local user can pass specially crafted argument to the affected CLI command and execute arbitrary code on the target system.
36) NULL pointer dereference (CVE-ID: CVE-2022-45861)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the SSL-VPN portal. A remote authenticated user can send a specially crafted HTTP GET request and perform a denial of service (DoS) attack.
37) Out-of-bounds write (CVE-ID: CVE-2023-22639)
The vulnerability allows a local user to escalate privileges on the device.
The vulnerability exists due to a boundary error within CLI. A local user can pass specially crafted arguments to the affected command to trigger an out-of-bounds write and execute arbitrary code on the target system.
38) Out-of-bounds write (CVE-ID: CVE-2023-22640)
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a boundary error in sslvpnd. A remote authenticated user can send a specially crafted request to trigger an out-of-bounds write and execute arbitrary code on the target system.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.