Lucene search
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.FORTIGATE_FG-IR-22-475.NASLHistoryMay 03, 2023 - 12:00 a.m.
Fortinet Fortigate - Out-of-bound-write in sslvpnd (FG-IR-22-475)
2023-05-0300:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
67
fortinet fortigate
sslvpnd
out-of-bounds write
vulnerability
fortios
fortiproxy
cwe-787
arbitrary code execution
authenticated attacker
crafted requests
cve-2023-22640
nessus
self-reported version
scanner
EPSS
0.001
Percentile
35.1%
The version of Fortigate installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-22-475 advisory.
- An out-of-bounds write vulnerability [CWE-787] in sslvpnd of FortiOS and FortiProxy may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted requests.
(CVE-2023-22640)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(175084);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/15");
script_cve_id("CVE-2023-22640");
script_xref(name:"IAVA", value:"2023-A-0239-S");
script_name(english:"Fortinet Fortigate - Out-of-bound-write in sslvpnd (FG-IR-22-475)");
script_set_attribute(attribute:"synopsis", value:
"Fortinet Firewall is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The version of Fortigate installed on the remote host is prior to tested version. It is, therefore, affected by a
vulnerability as referenced in the FG-IR-22-475 advisory.
- An out-of-bounds write vulnerability [CWE-787] in sslvpnd of FortiOS and FortiProxy may allow an
authenticated attacker to achieve arbitrary code execution via specifically crafted requests.
(CVE-2023-22640)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://www.fortiguard.com/psirt/FG-IR-22-475");
script_set_attribute(attribute:"solution", value:
"Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.11 or above
Please upgrade to FortiOS version 6.4.12 or above
Please upgrade to FortiOS version 6.2.14 or above
Please upgrade to FortiProxy version 7.2.2 or above
Please upgrade to FortiProxy version 7.0.8 or above
Workaround:
Disable
Host Check, Restrict to Specific OS Versions and MAC address host checking in
sslvpn
portal configuration. For example for
full-access sslvpn portal:
config vpn ssl web portal
edit full-access
set os-check disable
set host-check none
set mac-addr-check disable
end");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-22640");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/05/03");
script_set_attribute(attribute:"patch_publication_date", value:"2023/05/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/05/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:fortinet:fortiproxy");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Firewalls");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("fortinet_version.nbin");
script_require_keys("Host/Fortigate/model", "Host/Fortigate/version");
exit(0);
}
include('vcf.inc');
include('vcf_extras_fortios.inc');
# If there's a workaround specified in the advisory we're making this require paranoid.
if (report_paranoia < 2) audit(AUDIT_PARANOID);
var app_name = 'Fortigate';
var app_info = vcf::get_app_info(app:app_name, kb_ver:'Host/Fortigate/version');
vcf::fortios::verify_product_and_model(product_name:app_name);
var constraints = [
{ 'min_version' : '6.0.0', 'max_version' : '6.0.16', 'fixed_display' : '6.2.14' },
{ 'min_version' : '6.2.0', 'fixed_version' : '6.2.14' },
{ 'min_version' : '6.4.0', 'fixed_version' : '6.4.12' },
{ 'min_version' : '7.0.0', 'fixed_version' : '7.0.11' },
{ 'min_version' : '7.2.0', 'fixed_version' : '7.2.4' }
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
Related
nvd
nvd
CVE-2023-22640
2023-05-03 22:15:17
cvelist
cvelist
CVE-2023-22640
2023-05-03 21:26:29
cve
cve
CVE-2023-22640
2023-05-03 22:15:17
fortinet
fortinet
Protect
2023-05-03 00:00:00
prion
prion
Cross site scripting
2023-05-03 22:15:00
ics
ics
Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices
2024-03-14 12:00:00