Headline
CVE-2023-33305: Fortiguard
A loop with unreachable exit condition (‘infinite loop’) in Fortinet FortiOS version 7.2.0 through 7.2.4, FortiOS version 7.0.0 through 7.0.10, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0 all versions, FortiProxy version 7.2.0 through 7.2.3, FortiProxy version 7.0.0 through 7.0.9, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions, FortiWeb version 7.2.0 through 7.2.1, FortiWeb version 7.0.0 through 7.0.6, FortiWeb 6.4 all versions, FortiWeb 6.3 all versions allows attacker to perform a denial of service via specially crafted HTTP requests.
** PSIRT Advisories**
FortiOS, FortiProxy & Fortiweb - DoS in firmware upgrade function
Summary
A loop with unreachable exit condition (‘Infinite Loop’) vulnerability [CWE-835] in FortiOS, FortiProxy and Fortiweb may allow an authenticated attacker to perform a denial of service via a specially crafted firmware image.
Affected Products
FortiWeb version 7.2.0 through 7.2.1
FortiWeb version 7.0.0 through 7.0.6
FortiWeb 6.4 all versions
FortiWeb 6.3 all versions
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.10
FortiOS 6.4 all versions
FortiOS 6.2 all versions
FortiOS 6.0 all versions
FortiProxy version 7.2.0 through 7.2.3
FortiProxy version 7.0.0 through 7.0.9
FortiProxy 2.0 all versions
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions
Solutions
Please upgrade to FortiPAM version 1.0.0 or above
Please upgrade to FortiWeb version 7.2.2 or above
Please upgrade to FortiWeb version 7.0.7 or above
Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.5 or above
Please upgrade to FortiOS version 7.0.11 or above
Please upgrade to FortiProxy version 7.2.4 or above
Please upgrade to FortiProxy version 7.0.10 or above
Acknowledgement
Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.
Timeline
2023-06-09: Initial publication