CVE-2023-36640

Name of the Vulnerable Software and Affected Versions FortiProxy versions 1.0.0 through 1.2.13 FortiProxy versions 2.0.0 through 2.0.13 FortiProxy versions 7.0.0 through 7.2.4 FortiPAM versions 1.0.0 through 1.0.3 FortiOS versions 6.0.0 through 6.4.14 FortiOS versions 7.0.0 through 7.2.0

Description The issue is related to a use of externally-controlled format string, which allows an attacker to execute unauthorized code or commands via specially crafted commands and HTTP requests. This can lead to arbitrary code execution. The vulnerability is locally exploitable and can be exploited by an authenticated attacker.

Recommendations For FortiProxy versions 1.0.0 through 1.2.13, upgrade to a newer version to mitigate the risk. For FortiProxy versions 2.0.0 through 2.0.13, upgrade to a newer version to mitigate the risk. For FortiProxy versions 7.0.0 through 7.2.4, upgrade to a newer version to mitigate the risk. For FortiPAM versions 1.0.0 through 1.0.3, upgrade to a newer version to mitigate the risk. For FortiOS versions 6.0.0 through 6.4.14, upgrade to a newer version to mitigate the risk. For FortiOS versions 7.0.0 through 7.2.0, upgrade to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the command line interpreter and httpd to minimize the risk of exploitation. Avoid using specially crafted commands and HTTP requests in the affected systems until the issue is resolved.