Overview
Fortinet have released security updates to address vulnerabilities in a multiple of their products.
- CWE-415: a double free vulnerability in FortiOS and FortiPAM HTTPSd daemon can allow unauthorised attackers to achieve arbitrary code execution. Affected versions affected include:
- FortiOS:0.0 through 7.0.5
- FortiPAM 1.1:1.0 through 1.1.1
- FortiPAM 1.0: all versions
- CWE-352: a cross-site scripting forgery vulnerability in FortiMail, FortiNRD, FortiRecorder, FortiSwitch and FortiVoiceEnterprise. The vulnerability allows unauthorised attackers to execute commands on the command line interface, and tricks authenticated administrators to execute malicious GET requests. Affected versions include:
- FortiMail 7.2: 0.0 through 7.0.3
- FortiMail 6.4: 4.0 through 6.4.6
- CWE-134: a format string vulnerability in the HTTPSd daemon of FortiOS, FortiProxy and FortiPAM can allow unauthorised attackers to execute unauthorised code or commands through specifically crafted API requests. Affected versions include:
- FortiOS 7.4: 4.0
- FortiOS 7.2: 0.2 through 7.2.4
- FortiOS 7.0: 0.0 through 7.0.11
- FortiOS 6.4: 4.0 through 6.4.12
- FortiOS 6.2: 2.0 through 6.2.15
- FortiOS 6.0: all versions
Apple has released a security update to address vulnerabilities in Safari, iOS, iPadOS and macOS Sonoma. The following updates are available:
- Safari 17.2.1: macOS Monterey and macOS Ventura
- iOS 17.2.1: available for iPhone XS model onwards
- iOS 16.7.4 and iPadOS 16.7.4: available for:
- iPhone 8
- iPhone 8 Plus
- iPhone X
- iPad 5th Generation
- iPad Pro 9.7-inch
- iPad Pro 12.9-inch 1st Generation
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Fortinet – CWE-415, CWE-352, and CWE-134.
Apple - Security Updates.
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.