CVE-2023-40720
📋 TL;DR
This vulnerability allows authenticated attackers to bypass authorization controls and access other users' SIP configuration data on FortiVoiceEnterprise systems. Attackers can exploit this by crafting specific HTTP/HTTPS requests. Organizations running affected FortiVoiceEnterprise versions are at risk.
💻 Affected Systems
- FortiVoiceEnterprise
📦 What is this software?
Fortivoice by Fortinet
Fortivoice by Fortinet
Fortivoice by Fortinet
Fortivoice by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map the entire SIP infrastructure, identify vulnerable endpoints, and potentially intercept or manipulate VoIP communications across the organization.
Likely Case
Unauthorized access to sensitive SIP configuration data including usernames, passwords, server addresses, and call routing information, enabling further attacks against the VoIP infrastructure.
If Mitigated
Limited exposure if network segmentation isolates VoIP systems and strict access controls are implemented, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires authenticated access but involves simple HTTP request manipulation. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.2 or 6.4.8 and later
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-23-282
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download appropriate firmware version (7.0.2 for 7.x branch, 6.4.8+ for 6.x branch). 3. Upload firmware via web interface. 4. Install update. 5. Reboot system. 6. Verify SIP functionality post-update.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to FortiVoiceEnterprise web interface to only authorized administrative networks and users.
Configure firewall rules to restrict access to FortiVoiceEnterprise management IP/ports
Implement Network Segmentation
allIsolate VoIP network from general corporate network to limit lateral movement.
Configure VLANs and firewall rules to segment VoIP traffic
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual authentication patterns or configuration access attempts.
- Consider deploying a WAF or reverse proxy with request validation rules to block crafted HTTP requests targeting SIP endpoints.
🔍 How to Verify
Check if Vulnerable:
Check FortiVoiceEnterprise version via web interface: System > Dashboard > System Information, or CLI: get system statusCheck Version:
get system status | grep VersionVerify Fix Applied:
Verify version is 7.0.2 or higher for 7.x branch, or 6.4.8 or higher for 6.x branch. Test SIP configuration access controls.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for SIP configuration access
- Unusual pattern of configuration read requests from non-admin users
- HTTP requests with manipulated parameters targeting SIP endpoints
Network Indicators:
- Unusual HTTP/HTTPS traffic patterns to FortiVoiceEnterprise management interface
- Requests to SIP configuration endpoints from unauthorized IP ranges
SIEM Query:
source="fortivoice" AND (uri="*sip*" OR uri="*config*") AND user!="admin" AND action="read"