UPDATE 7/6/2023 -  Last month, Avertium published a flash notice regarding a critical heap-based overflow vulnerability (CVE-2023-27997) found in Fortinet iOS and FortiProxy SSL-VPN. The vulnerability could allow an attacker to interfere via the VPN, even if MFA is enabled. Despite the release of updates by Fortinet, over 300,000 FortiGate firewall appliances remain vulnerable and accessible through the public internet.  

During an investigation by Bishop Fox researchers, it was discovered that many of the exposed FortiGate devices had not received an update for the past eight years, with some of them running end-of-life software such as FortiOS 6. Now, the exposed devices are vulnerable to CVE-2023-27997 and other security flaws that have a publicly available proof-of-concept.  

If successful, an unauthenticated attacker could execute remote code on vulnerable devices with the SSL VPN interface exposed on the web. Fortinet has provided updates and has released FortiOS firmware versions:  

  • 6.0.17 
  • 6.2.15 
  • 6.4.13 
  • 7.0.12 
  • 7.2.5 

Now that a PoC is publicly available, it is highly recommended that you patch your devices immediately, as CVE-2023-27997 now has a CVSS score of 9.8. Currently, there are no new updates from Fortinet regarding the vulnerability. As a result, the same recommendations provided in Avertium's original flash notice still apply. 

overview

A critical heap-based buffer overflow vulnerability (CVE-2023-27997) was found in Fortinet iOS and FortiProxy SSL-VPN. According to the cybersecurity firm Olympe Cyberdefense, the vulnerability could allow an attacker to interfere via the VPN, even if MFA is enabled.  

The impacted products are as follows:  

  • FortiOS-6K7K version 7.0.10 
  • FortiOS-6K7K version 7.0.5 
  • FortiOS-6K7K version 6.4.12 
  • FortiOS-6K7K version 6.4.10 
  • FortiOS-6K7K version 6.4.8 
  • FortiOS-6K7K version 6.4.6 
  • FortiOS-6K7K version 6.4.2 
  • FortiOS-6K7K version 6.2.9 through 6.2.13 
  • FortiOS-6K7K version 6.2.6 through 6.2.7 
  • FortiOS-6K7K version 6.2.4 
  • FortiOS-6K7K version 6.0.12 through 6.0.16 
  • FortiOS-6K7K version 6.0.10 

At least 

  • FortiProxy version 7.2.0 through 7.2.3 
  • FortiProxy version 7.0.0 through 7.0.9 
  • FortiProxy version 2.0.0 through 2.0.12 
  • FortiProxy 1.2 all versions 
  • FortiProxy 1.1 all versions 

At least 

  • FortiOS version 7.2.0 through 7.2.4 
  • FortiOS version 7.0.0 through 7.0.11 
  • FortiOS version 6.4.0 through 6.4.12 
  • FortiOS version 6.2.0 through 6.2.13 
  • FortiOS version 6.0.0 through 6.0.16 

Fortinet released an advisory last night acknowledging the vulnerability, but security researchers suspect that the company quietly patched it as patches were released before the advisory was put out. Once reports surfaced about CVE-2023-27997, Fortinet shared the following statement with several news outlets.  

“Timely and ongoing communications with our customers is a key component in our efforts to best protect and secure their organization. There are instances where confidential advance customer communications can include early warning on Advisories to enable customers to further strengthen their security posture, prior to the Advisory being publicly released to a broader audience. This process follows best practices for responsible disclosure to ensure our customers have the timely information they need to help them make informed risk-based decisions. For more on Fortinet's responsible disclosure process, visit the Fortinet Product Security Incident Response Team (PSIRT) page: https://www.fortiguard.com/psirt_policy.”  

CVE-2023-27997 has not yet been exploited, but the issue is urgent as the vulnerability has a CVSS score of 9.2 and is likely to be promptly exploited once threat actors discover and analyze it. Being widely recognized as leading firewall and VPN devices in the market, Fortinet devices have gained significant popularity, making them a prime target for attacks.  

   

 

avertium's recommendationS

If an available update does not appear in the device's dashboard, it is recommended to reboot the device, as this may prompt the update to become visible.   
  • If rebooting does not resolve the issue, then you should manually download and install the update. 
  • As a workaround, Fortinet recommends disabling SSL-VPN. 
  • Per Fortinet, please upgrade to the following versions 
    • FortiOS-6K7K version 7.0.12 or above 
    • FortiOS-6K7K version 6.4.13 or above 
    • FortiOS-6K7K version 6.2.15 or above 
    • FortiOS-6K7K version 6.0.17 or above 
    • FortiProxy version 7.2.4 or above 
    • FortiProxy version 7.0.10 or above 
    • FortiOS version 7.4.0 or above 
    • FortiOS version 7.2.5 or above 
    • FortiOS version 7.0.12 or above 
    • FortiOS version 6.4.13 or above 
    • FortiOS version 6.2.14 or above 
    • FortiOS version 6.0.17 or above 

 

 

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with CVE-2023-27997. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.    

 

 

How Avertium is Protecting Our CUSTOMERS

  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.  
  • Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 





 

SUPPORTING DOCUMENTATION

CVE - CVE-2023-27997 (mitre.org) 

Fortinet patches pre-auth RCE, update your Fortigate firewalls ASAP! (CVE-2023-27997) - Help Net Security 

Fortinet FortiGate VPN-SSL | Olympus Cyberdefense (olympecyberdefense.fr) 

Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now (bleepingcomputer.com) 

Critical RCE Flaw Discovered in Fortinet FortiGate Firewalls - Patch Now! (thehackernews.com) 

PSIRT Advisories | FortiGuard 

300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug (bleepingcomputer.com) 
Chat With One of Our Experts



remote code execution RCE Remote Code Execution (RCE) vulnerabilities Flash Notice Heap-Based Buffer Overflow Vulnerability Fortinet Vulnerability Fortinet Critical Vulnerability Blog