Fortinet fixes critical FortiOS, FortiProxy RCE vulnerability

Fortinet has issued patches to address a critical severity stack-based overflow flaw in several FortiOS and FortiProxy versions, which could be exploited to achieve arbitrary code execution, BleepingComputer reports. Impacted by the vulnerability, tracked as CVE-2023-33308, are FortiOS versions 7.0.0 through 7.0.10 and FortiOS versions 7.2.0 through 7.2.3, as well as FortiProxy versions 7.0.0 through 7.0.9 and FortiProxy versions 7.2.0 through 7.2.2, but not FortiOS versions from the 6.0, 6.2, 6.4, 2.x, and 1.x releases, according to Fortinet. Organizations using the vulnerable instances have been urged to immediately upgrade to the latest versions of FortiOS and FortiProxy, although those that cannot adopt the firmware were advised to deactivate HTTP/2 support on proxy policies' SSL inspection profiles. Meanwhile, patch lag concerns have been noted for a FortiOS buffer overflow bug, tracked as CVE-2023-27997, after nearly 336,000 internet-exposed FortiGate firewalls were found by Bishop Fox to be vulnerable to the flaw a month after the release of a fix.