CVE-2023-25610

Solution:

• Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.10 or above Please upgrade to FortiOS version 6.4.12 or above Please upgrade to FortiOS version 6.2.13 or above Please upgrade to FortiWeb version 7.2.2 or above Please upgrade to FortiWeb version 7.0.7 or above Please upgrade to FortiWeb version 6.4.3 or above Please upgrade to FortiWeb version 6.3.23 or above Please upgrade to FortiWeb version 6.2.8 or above Please upgrade to FortiWeb version 6.1.4 or above Please upgrade to upcoming FortiOS version 6.0.17 or above Please upgrade to FortiSwitchManager version 7.2.2 or above Please upgrade to FortiSwitchManager version 7.0.2 or above Please upgrade to FortiProxy version 7.2.3 or above Please upgrade to FortiProxy version 7.0.9 or above Please upgrade to FortiManager version 7.2.1 or above Please upgrade to FortiManager version 7.0.5 or above Please upgrade to FortiManager version 6.4.12 or above Please upgrade to FortiManager version 6.2.11 or above Please upgrade to FortiManager version 6.0.12 or above Please upgrade to FortiOS-6K7K version 7.0.10 or above Please upgrade to FortiOS-6K7K version 6.4.12 or above Please upgrade to FortiOS-6K7K version 6.2.13 or above Please upgrade to FortiAnalyzer version 7.2.1 or above Please upgrade to FortiAnalyzer version 7.0.5 or above Please upgrade to FortiAnalyzer version 6.4.12 or above Please upgrade to FortiAnalyzer version 6.2.11 or above Please upgrade to FortiAnalyzer version 6.0.12 or above ## Workaround for FortiOS: Disable HTTP/HTTPS administrative interface OR Limit IP addresses that can reach the administrative interface: ``` config firewall address edit my_allowed_addresses set subnet Y IP MY SUBNET end ``` Then create an Address Group: ``` config firewall addrgrp edit MGMT_IPs set member my_allowed_addresses end ``` Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1): ``` config firewall local-in-policy edit 1 set intf port1 set srcaddr MGMT_IPs set dstaddr all set action accept set service HTTPS HTTP set schedule always set status enable next edit 2 set intf any set srcaddr all set dstaddr all set action deny set service HTTPS HTTP set schedule always set status enable end ``` If using non default ports, create appropriate service object for GUI administrative access: ``` config firewall service custom edit GUI_HTTPS set tcp-portrange admin-sport next edit GUI_HTTP set tcp-portrange admin-port end ``` Use these objects instead of "HTTPS HTTP" in the local-in policy 1 and 2 below. When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005 Please contact customer support for assistance. ## Workaround for FortiManager and FortiAnalyzer: Limit IP addresses that can reach the administrative interface ## Workaround for FortiWeb: Disable HTTP/HTTPS administrative interface OR Limit IP addresses that can reach the administrative interface