Table of Contents
July 14, 2023
|5m
Breaking Down the Latest July 2023 Monthly PSIRT Advisory Report From Fortinet
Fortinet has recently released its July 2023 Monthly PSIRT Advisory Report on 11th July 2023, which we’ve covered in this detailed report. This report describes newly released security vulnerabilities affecting Fortinet products. The report is an essential resource for IT professionals and organizations utilizing Fortinet products, as it helps them stay informed about potential risks, allowing them to take the necessary actions to ensure their systems remain secure.
Through this report, you will understand the severity of each vulnerability, the steps needed to mitigate the risks, and take the necessary actions to enhance the security structure against potential threats. IT professionals and organizations are encouraged to closely monitor Fortinet’s PSIRT Advisories and adapt their security measures based on the findings. By staying up-to-date on the latest vulnerabilities and fixes, users can continue to leverage Fortinet’s cutting-edge technologies while maintaining a secure and robust digital infrastructure.
Summary of July 2023 Monthly PSIRT Advisory Report
Key highlights:
4 vulnerabilities have been identified in total. Among these, 1 is critical, 1 has high severity, and 2 are of medium severity.
The critical vulnerability found in FortiOS and FortiProxy could potentially allow an attacker to execute arbitrary code due to a stack-based buffer overflow.
The products affected by these vulnerabilities include FortiOS, FortiProxy, FortiExtender, FortiAnalyzer, and FortiManager.
Vulnerabilities by Category
The July 2023 Monthly PSIRT Advisory Report presents 4 vulnerabilities affecting multiple FortiGate products. Below is a table giving the overview of each vulnerability type identified in the report:
| Vulnerability Type | Number of Occurrences |
| Stack-based overflow vulnerability [CWE-124] | 1 |
| Path Traversal vulnerability [CWE-22] | 2 |
| Insufficient session expiration [CWE-613] vulnerability | 1 |
Vulnerabilities by Product
Please refer to this table if you want to know the list of vulnerabilities by the Fortinet products.
| Fortinet Product | Number of Occurrence |
| FortiOS | 2 |
| FortiProxy | 1 |
| FortiAnalyzer | 1 |
| FortiExtender | 1 |
| FortiManager | 1 |
List of Vulnerabilities Patched in July 2023 Monthly PSIRT Advisory Report
This table shows the breakdown of all 4 vulnerabilities published in the July 2023 Monthly PSIRT Advisory Report.
| CVE | Summary | CVSSv3 Score | Severity | Products Affected | Product Fixed |
| CVE-2023-33308 | A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. | 9.8 | Critical | FortiOS version 7.2.0 through 7.2.3FortiOS version 7.0.0 through 7.0.10FortiProxy version 7.2.0 through 7.2.2FortiProxy version 7.0.0 through 7.0.9 | Please upgrade to FortiOS version 7.4.0 or abovePlease upgrade to FortiOS version 7.2.4 or abovePlease upgrade to FortiOS version 7.0.11 or abovePlease upgrade to FortiProxy version 7.2.3 or abovePlease upgrade to FortiProxy version 7.0.10 or above |
| CVE-2022-23447 | An improper limitation of a pathname to a restricted directory Path Traversal vulnerability [CWE-22] in FortiExtender management interface may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. | 7.3 | High | FortiExtender version 7.0.0 through 7.0.3FortiExtender version 4.2.0 through 4.2.4FortiExtender version 4.1.1 through 4.1.8FortiExtender version 4.0.0 through 4.0.2FortiExtender version 3.3.0 through 3.3.2FortiExtender version 3.2.1 through 3.2.3FortiExtender 5.3 all versions | Please upgrade to FortiExtender version 7.2.0 or abovePlease upgrade to FortiExtender version 7.0.4 or abovePlease upgrade to FortiExtender version 4.2.5 or abovePlease upgrade to FortiExtender version 4.1.9 or abovePlease upgrade to FortiExtender version 4.0.3 or abovePlease upgrade to FortiExtender version 3.3.3 or abovePlease upgrade to FortiExtender version 3.2.4 or above |
| CVE-2023-28001 | An insufficient session expiration [CWE-613] vulnerability in FortiOS REST API may allow an attacker to reuse the session of a deleted user, should the attacker manage to obtain the API token. | 4.1 | Medium | FortiOS version 7.2.0 through 7.2.4FortiOS 7.0 all versions | Please upgrade to FortiOS version 7.4.0 or abovePlease upgrade to FortiOS version 7.2.5 or above |
| CVE-2023-25606 | An improper limitation of a pathname to a restricted directory Path Traversal vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. | 6.2 | Medium | FortiManager version 7.2.0 through 7.2.1FortiManager version 7.0.0 through 7.0.5FortiManager version 6.4.0 through 6.4.11FortiAnalyzer version 7.2.0 through 7.2.1FortiAnalyzer version 7.0.0 through 7.0.5FortiAnalyzer version 6.4.0 through 6.4.11 | Please upgrade to FortiManager version 7.2.2 or abovePlease upgrade to FortiManager version 7.0.7 or abovePlease upgrade to FortiManager version 6.4.12 or abovePlease upgrade to FortiAnalyzer version 7.2.2 or abovePlease upgrade to FortiAnalyzer version 7.0.7 or abovePlease upgrade to FortiAnalyzer version 6.4.12 or above |
This report presents complete detail about the July 2023 Monthly PSIRT Advisory Report Fortinet released on July 11, 2023. With this report, you can stay up to date with all newly released vulnerabilities and the recommended steps to take to avoid getting affected by it. You can also share this post and contribute to making the digital world securer and protected. If you want to have more regular posts on topics like these, please visit our website thesecmaster.com and follow us on our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, and Medium, and subscribe to our content.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
