PSIRT

Webproxy process denial of service

Summary

A use after free vulnerability [CWE-416] in FortiOS & FortiProxy may allow an unauthenticated remote attacker to crash the Web Proxy process via multiple crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Affected Products

FortiProxy 7.4 all versions are not affected
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.8
FortiProxy 2.0 all versions are not affected
FortiProxy 1.2 all versions are not affected
FortiOS 7.4 all versions are not affected
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.10
FortiOS 6.4 all versions are not affected

Solutions

Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.5 or above
Please upgrade to FortiOS version 7.0.11 or above
Please upgrade to FortiProxy version 7.2.3 or above
Please upgrade to FortiProxy version 7.0.9 or above

FortiSASE is no longer impacted, issue remediated Q2/23

Acknowledgement

Internally discovered during Fortinet TAC investigation.

Timeline

2023-10-10: Initial publication

IR Number	FG-IR-23-184
Published Date	Oct 10, 2023
Severity	Medium
CVSSv3 Score	4.8
Impact	Execute unauthorized code or commands
CVE ID
Download	CVRF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Webproxy process denial of service

Summary

Affected Products

Solutions

Acknowledgement

Timeline

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Webproxy process denial of service

Summary

Affected Products

Solutions

Acknowledgement

Timeline

Threat Intelligence
Center