Monthly PSIRT Advisories refers to an Advisories Report that Fortinet’s Product Security Incident Response Team (PSIRT) team rolls out every month. The report provides a list of advisories for vulnerabilities resolved in Fortinet products. Considering its importance, we have decided to publish a monthly breakdown of the Fortinet Monthly PSIRT Advisory Report on thesecmaster.com. We are going to cover the March 2023 Monthly PSIRT Advisory Report this time and going forward. You are going to see the same report for upcoming months on this website.
Summary of March 2023 Monthly PSIRT Advisory Report:
Fortinet released the March 2023 Monthly PSIRT Advisory Report early this week. Let’s see the summary of the report:
- The report listed 15 vulnerabilities this time, of which 1 is classified as critical, 5 are classified as High, 8 are Medium, and 1 is Low in severity.
- The Critical vulnerability identified is CVE-2023-25610, which is a Heap Buffer Underflow vulnerability in FortiOS & FortiProxy administrative interface that may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI via specifically crafted requests.
- The products affected by this list of 15 vulnerabilities may include FortiOS, FortiProxy, FortiAnalyzer, FortiWeb, FortiNAC, FortiRecorder, FortiManager, FortiMail, FortiPortal, FortiAuthenticator, FortiSwitch, FortiSOAR, FortiDeceptor, and FortiOS-6K7K.
Vulnerabilities by Category:
All 15 vulnerabilities are categorized into 16 different vulnerabilities. Command injection is the most frequently identified vulnerability, appearing 7 times in the March 2023 Monthly PSIRT Advisory Report. Command injection is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application and typically fully compromises the application and all its data. Buffer overflows, and cryptographic vulnerabilities are the next most frequently identified vulnerability types, appearing 6 times each. Path traversal vulnerabilities appear 5 times, and cross-site scripting (XSS) vulnerabilities appear 4 times. Please see this table which provides information on the number of various vulnerability types identified in the March 2023 Monthly PSIRT Advisory Report.
| Vulnerability Type | Number of Occurence |
| Improper access control | 4 |
| injection | 2 |
| Sensitive Information Exposer | 2 |
| Buffer overflows | 1 |
| Path traversal vulnerability | 1 |
| Cross Sight Scripting (XSS) | 1 |
| Denial of Service | 1 |
| Privilege Escalation | 1 |
| Arbitrary file write vulnerability | 1 |
| Path traversal vulnerability | 1 |
Vulnerabilities by Product:
Please refer to this table if you want to know the list of vulnerabilities by the Fortinet products.
| Fortinet Product | Number of Occurrence |
| FortiOS | 5 |
| FortiProy | 4 |
| FortiAnalyzer | 3 |
| FortiWeb | 2 |
| FortiNAC | 2 |
| FortiRecorder | 2 |
| FortiManager | 1 |
| FortiMail | 1 |
| FortiPortal | 1 |
| FortiAuthenticator | 1 |
| FortiSwitch | 1 |
| FortiSOAR | 1 |
| FortiDeceptor | 1 |
| FortiOS-6K7K | 1 |
List of Critical Vulnerabilities- March 2023 Monthly PSIRT Advisory Report:
The severity of the identified vulnerabilities is measured in the CVSS score. CVSS is a scale measured from 0 to 10 where 0 is the least severe and 10 is the most severe Vulnerability. All the vulnerabilities are assigned a CVSS number between 0.0 to 10.10 depending on several factors, including the attack vector, the attack complexity, and the impact on confidentiality, integrity, and availability. The vulnerabilities assigned the CVSS score between 0 to 4 are labeled ‘Low’ severity. The vulnerabilities assigned the CVSS score between 4 to 7 are labeled ‘Medium’ severity. Similarly, the vulnerabilities assigned a CVSS score between 7 to 8 are labeled ‘High’ severity, and the CVSS score between 9 to 10 is ‘Critical’ in severity.
The below table lists the vulnerabilities considered Critical in severity.
| CVE ID | Vulnerability | Vulnerable Product/Application | Solution |
|---|---|---|---|
| CVE-2023-25610 | Heap buffer underflow in administrative interface in FortiOS / FortiProxy | FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.9 FortiOS version 6.4.0 through 6.4.11 FortiOS version 6.2.0 through 6.2.12 FortiOS 6.0 all versions FortiProxy version 7.2.0 through 7.2.2 FortiProxy version 7.0.0 through 7.0.8 FortiProxy version 2.0.0 through 2.0.11 FortiProxy 1.2 all versions FortiProxy 1.1 all versions | Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.10 or above Please upgrade to FortiOS version 6.4.12 or above Please upgrade to FortiOS version 6.2.13 or above Please upgrade to FortiProxy version 7.2.3 or above Please upgrade to FortiProxy version 7.0.9 or above Please upgrade to FortiProxy version 2.0.12 or above Please upgrade to FortiOS-6K7K version 7.0.10 or above Please upgrade to FortiOS-6K7K version 6.4.12 or above Please upgrade to FortiOS-6K7K version 6.2.13 or above |
Comprehensive List of Vulnerabilities Patched in March 2023 Monthly PSIRT Advisory Report:
We have segregated the list into multiple lists by the Applications. You can refer to the complete list of the official Fortinet security updates here.
FortiOS
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2023-25610 | Heap buffer underflow in administrative interface in FortiOS / FortiProxy | 9.3 | Critical | FortiOS version 7.2.0 through 7.2.3FortiOS version 7.0.0 through 7.0.9FortiOS version 6.4.0 through 6.4.11FortiOS version 6.2.0 through 6.2.12FortiOS 6.0 all versionsFortiProxy version 7.2.0 through 7.2.2FortiProxy version 7.0.0 through 7.0.8FortiProxy version 2.0.0 through 2.0.11FortiProxy 1.2 all versionsFortiProxy 1.1 all versions | Please upgrade to FortiOS version 7.4.0 or abovePlease upgrade to FortiOS version 7.2.4 or abovePlease upgrade to FortiOS version 7.0.10 or abovePlease upgrade to FortiOS version 6.4.12 or abovePlease upgrade to FortiOS version 6.2.13 or abovePlease upgrade to FortiProxy version 7.2.3 or abovePlease upgrade to FortiProxy version 7.0.9 or abovePlease upgrade to FortiProxy version 2.0.12 or abovePlease upgrade to FortiOS-6K7K version 7.0.10 or abovePlease upgrade to FortiOS-6K7K version 6.4.12 or abovePlease upgrade to FortiOS-6K7K version 6.2.13 or above |
| CVE-2022-42476 | Path traversal vulnerability allows VDOM escaping in FortiOS / FortiProxy | 7.8 | High | FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.8 FortiOS version 6.4.0 through 6.4.11 FortiOS version 6.2.0 through 6.2.12 FortiProxy version 7.2.0 through 7.2.1 FortiProxy version 7.0.0 through 7.0.7 FortiProxy version 2.0.0 through 2.0.11 FortiProxy version 1.2.0 through 1.2.13 FortiProxy version 1.1.0 through 1.1.6 Note: Impact on FortiProxy 7.0.x, 2.0.x, 1.2.x, 1.1.x is minor as it does not have VDOMs | Please upgrade to FortiProxy version 7.2.2 or above Please upgrade to FortiProxy version 7.0.8 or above Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.9 or above Please upgrade to FortiOS version 6.4.12 or above Please upgrade to FortiOS version 6.2.13 or above |
| CVE-2022-45861 | Access of NULL pointer in SSLVPNd in FortiOS & FortiProxy | 6.4 | Medium | FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.9 FortiOS version 6.4.0 through 6.4.11 FortiOS 6.2 all versions FortiProxy version 7.2.0 through 7.2.1 FortiProxy version 7.0.0 through 7.0.7 FortiProxy version 2.0.0 through 2.0.11 FortiProxy 1.2 all versionsFortiProxy 1.1 all versions | Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.10 or above Please upgrade to FortiOS version 6.4.12 or above Please upgrade to FortiProxy version 7.2.2 or above Please upgrade to FortiProxy version 7.0.8 or above Please upgrade to FortiProxy version 2.0.12 or above |
| CVE-2022-41328 | Path traversal in execute command in FortiOS | 6.5 | Medium | FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.9 FortiOS version 6.4.0 through 6.4.11 FortiOS 6.2 all versionsFortiOS 6.0 all versions | Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.10 or above Please upgrade to FortiOS version 6.4.12 or above |
| CVE-2022-41329 | Unauthenticated access to static files containing logging information in FortiOS / FortiProxy | 5.2 | Medium | FortiProxy version 7.2.0 through 7.2.2 FortiProxy version 7.0.0 through 7.0.8 FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.9 FortiOS version 6.4.0 through 6.4.11 FortiOS version 6.2.3 and above | Please upgrade to FortiProxy version 7.2.3 or above Please upgrade to FortiProxy version 7.0.9 or above Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.10 or above Please upgrade to FortiOS version 6.4.12 or above |
FortiProxy
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2023-25610 | Heap buffer underflow in administrative interface in FortiOS / FortiProxy | 9.3 | Critical | FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.9 FortiOS version 6.4.0 through 6.4.11 FortiOS version 6.2.0 through 6.2.12 FortiOS 6.0 all versions FortiProxy version 7.2.0 through 7.2.2 FortiProxy version 7.0.0 through 7.0.8 FortiProxy version 2.0.0 through 2.0.11 FortiProxy 1.2 all versionsFortiProxy 1.1 all versions | Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.10 or above Please upgrade to FortiOS version 6.4.12 or above Please upgrade to FortiOS version 6.2.13 or above Please upgrade to FortiProxy version 7.2.3 or above Please upgrade to FortiProxy version 7.0.9 or above Please upgrade to FortiProxy version 2.0.12 or above Please upgrade to FortiOS-6K7K version 7.0.10 or above Please upgrade to FortiOS-6K7K version 6.4.12 or above Please upgrade to FortiOS-6K7K version 6.2.13 or above |
| CVE-2022-42476 | Path traversal vulnerability allows VDOM escaping in FortiOS / FortiProxy | 7.8 | High | FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.8 FortiOS version 6.4.0 through 6.4.11 FortiOS version 6.2.0 through 6.2.12 FortiProxy version 7.2.0 through 7.2.1 FortiProxy version 7.0.0 through 7.0.7 FortiProxy version 2.0.0 through 2.0.11 FortiProxy version 1.2.0 through 1.2.13 FortiProxy version 1.1.0 through 1.1.6Note: Impact on FortiProxy 7.0.x, 2.0.x, 1.2.x, 1.1.x is minor as it does not have VDOMs | Please upgrade to FortiProxy version 7.2.2 or above Please upgrade to FortiProxy version 7.0.8 or above Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.9 or above Please upgrade to FortiOS version 6.4.12 or above Please upgrade to FortiOS version 6.2.13 or above |
| CVE-2022-45861 | Access of NULL pointer in SSLVPNd in FortiOS & FortiProxy | 6.4 | Medium | FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.9 FortiOS version 6.4.0 through 6.4.11FortiOS 6.2 all versions FortiProxy version 7.2.0 through 7.2.1 FortiProxy version 7.0.0 through 7.0.7 FortiProxy version 2.0.0 through 2.0.11 FortiProxy 1.2 all versionsFortiProxy 1.1 all versions | Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.10 or above Please upgrade to FortiOS version 6.4.12 or above Please upgrade to FortiProxy version 7.2.2 or above Please upgrade to FortiProxy version 7.0.8 or above Please upgrade to FortiProxy version 2.0.12 or above |
| CVE-2022-41329 | Unauthenticated access to static files containing logging information in FortiOS / FortiProxy | 5.2 | Medium | FortiProxy version 7.2.0 through 7.2.2 FortiProxy version 7.0.0 through 7.0.8 FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.9 FortiOS version 6.4.0 through 6.4.11 FortiOS version 6.2.3 and above | Please upgrade to FortiProxy version 7.2.3 or above Please upgrade to FortiProxy version 7.0.9 or above Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.10 or above Please upgrade to FortiOS version 6.4.12 or above |
FortiAnalyzer
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2022-42476 | Path traversal vulnerability allows VDOM escaping in FortiOS / FortiProxy | 7.8 | Medium | FortiOS version 7.2.0 through 7.2.3FortiOS version 7.0.0 through 7.0.8FortiOS version 6.4.0 through 6.4.11FortiOS version 6.2.0 through 6.2.12FortiProxy version 7.2.0 through 7.2.1FortiProxy version 7.0.0 through 7.0.7FortiProxy version 2.0.0 through 2.0.11FortiProxy version 1.2.0 through 1.2.13FortiProxy version 1.1.0 through 1.1.6Note: Impact on FortiProxy 7.0.x, 2.0.x, 1.2.x, 1.1.x is minor as it does not have VDOMs | Please upgrade to FortiProxy version 7.2.2 or abovePlease upgrade to FortiProxy version 7.0.8 or abovePlease upgrade to FortiOS version 7.2.4 or abovePlease upgrade to FortiOS version 7.0.9 or abovePlease upgrade to FortiOS version 6.4.12 or abovePlease upgrade to FortiOS version 6.2.13 or above |
| CVE-2023-23776 | The log-fetch client request password is shown in clear text in the heartbeat response in FortiAnalyzer | 4.6 | Medium | FortiAnalyzer version 7.2.0 through 7.2.1 FortiAnalyzer version 7.0.0 through 7.0.4 FortiAnalyzer version 6.4.0 through 6.4.10 | Please upgrade to FortiAnalyzer version 7.2.2 or above Please upgrade to FortiAnalyzer version 7.0.5 or above Please upgrade to FortiAnalyzer version 6.4.11 or above |
| CVE-2022-27490 | Information disclosure through diagnose debug commands in FortiManager, FortiAnalyzer, FortiPortal & FortiSwitch | 5.1 | Medium | At leastFortiManager version 6.0.0 through 6.0.4 At leastFortiAnalyzer version 6.0.0 through 6.0.4 At leastFortiPortal 4.1 all versions FortiPortal 4.2 all versions FortiPortal 5.0 all versions FortiPortal 5.1 all versions FortiPortal 5.2 all versions FortiPortal 5.3 all versions FortiPortal version 6.0.0 through 6.0.9At least FortiSwitch version 6.0.0 through 6.0.7 FortiSwitch version 6.2.0 through 6.2.7 FortiSwitch version 6.4.0 through 6.4.10 FortiSwitch version 7.0.0 through 7.0.4 | Upgrade to FortiManager version 6.0.5 and above Upgrade to FortiManager version 6.2.0 and above. Upgrade to FortiAnalyzer version 6.0.5 and above, Upgrade to FortiAnalyzer version 6.2.0 and above. Upgrade to FortiPortal version 6.0.10 and above. Upgrade to FortiSwitch version 6.4.11 and above, Upgrade to FortiSwitch version 7.0.5 and above. |
FortiWeb
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2022-39951 | command injection in webserver in FortiWeb | 7.2 | Medium | FortiWeb version 7.0.0 through 7.0.2 FortiWeb version 6.3.6 through 6.3.20 FortiWeb 6.4 all versions | Please upgrade to FortiWeb version 7.2.0 or above Please upgrade to FortiWeb version 7.0.3 or above Please upgrade to FortiWeb version 6.3.21 or above |
| CVE-2022-22297 | Arbitrary file read through command line pipe in FortiWeb and FortiRecorder | 5.2 | Medium | FortiWeb version 6.4.0 through 6.4.1 FortiWeb version 6.3.0 through 6.3.17 FortiWeb all versions 6.2 FortiWeb all versions 6.1 FortiWeb all versions 6.0 FortiRecorder version 6.4.0 through 6.4.3 FortiRecorder all versions 6.0 FortiRecorder all versions 2.7 | Upgrade to FortiWeb version 7.0.0 or above, Upgrade to FortiWeb version 6.4.2 or above. Upgrade to FortiWeb version 6.3.18 or above. Upgrade to FortiRecorder version 7.0.0 or above Upgrade to FortiRecorder version 6.4.4 or above |
FortiNac
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2022-40676 | Multiple Reflected XSS in FortiNAC | 7.1 | Medium | FortiNAC version 9.4.0 FortiNAC version 9.2.0 through 9.2.5 FortiNAC version 9.1.0 through 9.1.8 FortiNAC all versions 8.8, 8.7, 8.6, 8.5, 8.3 | Please upgrade to FortiNAC version 9.4.1 or above Please upgrade to FortiNAC version 9.2.6 or above Please upgrade to FortiNAC version 9.1.9 or above Please upgrade to FortiNAC version 7.2.0 or above |
| CVE-2022-39953 | Multiple privilege escalation via sudo command in FortiNAC | 7.8 | Medium | FortiNAC version 9.4.0 through 9.4.1 FortiNAC version 9.2.0 through 9.2.6 FortiNAC version 9.1.0 through 9.1.8 FortiNAC all versions 8.8, 8.7, 8.6, 8.5, 8.3 | Please upgrade to FortiNAC version 9.4.2 or above Please upgrade to FortiNAC version 9.2.7 or above Please upgrade to FortiNAC version 9.1.9 or above Please upgrade to FortiNAC version 7.2.0 or above |
Fortirecorder
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2022-41333 | DoS in login authentication mechanism in FortiRecorder | 6.8 | Medium | FortiRecorder 6.4.3 and below, FortiRecorder 6.0.11 to 6.0.0 | Please upgrade to FortiRecorder version 7.0.0 or abovePlease upgrade to FortiRecorder version 6.4.4 or abovePlease upgrade to FortiRecorder version 6.0.12 or above |
| CVE-2022-22297 | Arbitrary file read through command line pipe in FortiWeb and FortiRecorder | 5.2 | Medium | FortiWeb version 6.4.0 through 6.4.1 FortiWeb version 6.3.0 through 6.3.17 FortiWeb all versions 6.2 FortiWeb all versions 6.1FortiWeb all versions 6.0 FortiRecorder version 6.4.0 through 6.4.3 FortiRecorder all versions 6.0 FortiRecorder all versions 2.7 | Upgrade to FortiWeb version 7.0.0 or above, Upgrade to FortiWeb version 6.4.2 or above. Upgrade to FortiWeb version 6.3.18 or above. Upgrade to FortiRecorder version 7.0.0 or above Upgrade to FortiRecorder version 6.4.4 or above |
FortiManager
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2022-27490 | DoS in login authentication mechanism in FortiRecorder | 5.1 | Medium | At leastFortiManager version 6.0.0 through 6.0.4 At leastFortiAnalyzer version 6.0.0 through 6.0. 4At leastFortiPortal 4.1 all versions FortiPortal 4.2 all versions FortiPortal 5.0 all versions FortiPortal 5.1 all versions FortiPortal 5.2 all versions FortiPortal 5.3 all versions FortiPortal version 6.0.0 through 6.0.9At least FortiSwitch version 6.0.0 through 6.0.7 FortiSwitch version 6.2.0 through 6.2.7 FortiSwitch version 6.4.0 through 6.4.10 FortiSwitch version 7.0.0 through 7.0.4 | Upgrade to FortiManager version 6.0.5 and above, Upgrade to FortiManager version 6.2.0 and above. Upgrade to FortiAnalyzer version 6.0.5 and above, Upgrade to FortiAnalyzer version 6.2.0 and above. Upgrade to FortiPortal version 6.0.10 and above. Upgrade to FortiSwitch version 6.4.11 and above, Upgrade to FortiSwitch version 7.0.5 and above. |
FortiMail
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2022-29056 | Improper restriction over excessive authentication attempts | 3.5 | Low | FortiAuthenticator version 6.4 all versions FortiAuthenticator version 6.3 all versions FortiAuthenticator version 6.2 all versions FortiAuthenticator version 6.1 all versions FortiAuthenticator version 6.0 all versions FortiAuthenticator version 5.5 all versions FortiAuthenticator version 5.4 all versions FortiDeceptor version 3.1 all versions FortiDeceptor version 3.0 all versions FortiDeceptor version 2.1 all versions FortiDeceptor version 2.0 all versions FortiDeceptor version 1.1 all versions FortiDeceptor version 1.0 all versionsFortiMail version 6.4.0 FortiMail version 6.2.1 through 6.2.4 FortiMail version 6.0.0 through 6.0.9 | Please upgrade to FortiAuthenticator version 6.5.0 or above, Please upgrade to FortiDeceptor version 3.2.0 or above. Please upgrade to FortiMail version 6.4.1 or above, Please upgrade to FortiMail version 6.2.5 or above, Please upgrade to FortiMail version 6.0.10 or above. |
FortiPortal
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2022-27490 | Information disclosure through diagnose debug commands in FortiManager, FortiAnalyzer, FortiPortal & FortiSwitch | 5.1 | Medium | At leastFortiManager version 6.0.0 through 6.0.4At least FortiAnalyzer version 6.0.0 through 6.0.4At least FortiPortal 4.1 all versions FortiPortal 4.2 all versions FortiPortal 5.0 all versions FortiPortal 5.1 all versions FortiPortal 5.2 all versions FortiPortal 5.3 all versions FortiPortal version 6.0.0 through 6.0.9At least FortiSwitch version 6.0.0 through 6.0.7 FortiSwitch version 6.2.0 through 6.2.7 FortiSwitch version 6.4.0 through 6.4.10 FortiSwitch version 7.0.0 through 7.0.4 | Upgrade to FortiManager version 6.0.5 and above, Upgrade to FortiManager version 6.2.0 and above. Upgrade to FortiAnalyzer version 6.0.5 and above, Upgrade to FortiAnalyzer version 6.2.0 and above. Upgrade to FortiPortal version 6.0.10 and above. Upgrade to FortiSwitch version 6.4.11 and above, Upgrade to FortiSwitch version 7.0.5 and above. |
FortiAuthenticator
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2022-29056 | Improper restriction over excessive authentication attempts in FortiAuthenticator, FortiDeceptor & FortiMail – | 3.5 | Low | FortiAuthenticator version 6.4 all versions FortiAuthenticator version 6.3 all versions FortiAuthenticator version 6.2 all versions FortiAuthenticator version 6.1 all versions FortiAuthenticator version 6.0 all versions FortiAuthenticator version 5.5 all versions FortiAuthenticator version 5.4 all versions FortiDeceptor version 3.1 all versions FortiDeceptor version 3.0 all versions FortiDeceptor version 2.1 all versions FortiDeceptor version 2.0 all versions FortiDeceptor version 1.1 all versions FortiDeceptor version 1.0 all versionsFortiMail version 6.4.0FortiMail version 6.2.1 through 6.2.4 FortiMail version 6.0.0 through 6.0.9 | Please upgrade to FortiAuthenticator version 6.5.0 or above, Please upgrade to FortiDeceptor version 3.2.0 or above. Please upgrade to FortiMail version 6.4.1 or above, Please upgrade to FortiMail version 6.2.5 or above, Please upgrade to FortiMail version 6.0.10 or above. |
FortiAuthenticator
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2022-27490 | Information disclosure through diagnose debug commands in FortiManager, FortiAnalyzer, FortiPortal & FortiSwitch | 5.1 | Medium | At least FortiManager version 6.0.0 through 6.0.4 At least FortiAnalyzer version 6.0.0 through 6.0.4 At least FortiPortal 4.1 all versions FortiPortal 4.2 all versions FortiPortal 5.0 all versions FortiPortal 5.1 all versions FortiPortal 5.2 all versions FortiPortal 5.3 all versions FortiPortal version 6.0.0 through 6.0.9 At least FortiSwitch version 6.0.0 through 6.0.7 FortiSwitch version 6.2.0 through 6.2.7 FortiSwitch version 6.4.0 through 6.4.10 FortiSwitch version 7.0.0 through 7.0.4 | Upgrade to FortiManager version 6.0.5 and above, Upgrade to FortiManager version 6.2.0 and above. Upgrade to FortiAnalyzer version 6.0.5 and above, Upgrade to FortiAnalyzer version 6.2.0 and above. Upgrade to FortiPortal version 6.0.10 and above. Upgrade to FortiSwitch version 6.4.11 and above, Upgrade to FortiSwitch version 7.0.5 and above. |
FortiSOAR
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2023-25605 | Improper Authorization in request headers in FortiSOAR | 7.5 | Medium | FortiSOAR version 7.3.0 through 7.3.1 | Please upgrade to FortiSOAR version 7.3.2 or above |
FortiDeceptor
| CVE | Title | CVSSv3 Score | Severity | Products Affected | Products Fixed |
|---|---|---|---|---|---|
| CVE-2023-25605 | Improper restriction over excessive authentication attempts in FortiAuthenticator, FortiDeceptor & FortiMail | 3.5 | Low | FortiAuthenticator version 6.4 all versions FortiAuthenticator version 6.3 all versions FortiAuthenticator version 6.2 all versions FortiAuthenticator version 6.1 all versions FortiAuthenticator version 6.0 all versions FortiAuthenticator version 5.5 all versions FortiAuthenticator version 5.4 all versions FortiDeceptor version 3.1 all versions FortiDeceptor version 3.0 all versions FortiDeceptor version 2.1 all versions FortiDeceptor version 2.0 all versions FortiDeceptor version 1.1 all versions FortiDeceptor version 1.0 all versions FortiMail version 6.4.0 FortiMail version 6.2.1 through 6.2.4 FortiMail version 6.0.0 through 6.0.9 | Please upgrade to FortiAuthenticator version 6.5.0 or above, Please upgrade to FortiDeceptor version 3.2.0 or above. Please upgrade to FortiMail version 6.4.1 or above, Please upgrade to FortiMail version 6.2.5 or above, Please upgrade to FortiMail version 6.0.10 or above. |
FortiOS-6k7k
| CVE ID | Vulnerability | Vulnerable Product/Application | Solution |
|---|---|---|---|
| CVE-2023-25610 | Heap buffer underflow in administrative interface in FortiOS / FortiProxy | FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.9 FortiOS version 6.4.0 through 6.4.11 FortiOS version 6.2.0 through 6.2.12 FortiOS 6.0 all versions FortiProxy version 7.2.0 through 7.2.2 FortiProxy version 7.0.0 through 7.0.8 FortiProxy version 2.0.0 through 2.0.11 FortiProxy 1.2 all versions FortiProxy 1.1 all versions | Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.10 or above Please upgrade to FortiOS version 6.4.12 or above Please upgrade to FortiOS version 6.2.13 or above Please upgrade to FortiProxy version 7.2.3 or above Please upgrade to FortiProxy version 7.0.9 or above Please upgrade to FortiProxy version 2.0.12 or above Please upgrade to FortiOS-6K7K version 7.0.10 or above Please upgrade to FortiOS-6K7K version 6.4.12 or above Please upgrade to FortiOS-6K7K version 6.2.13 or above |
We hope this post would help you know about the March 2023 Monthly PSIRT Advisory Report published by Fortinet on 7th March 2023. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
