UPDATE 7/6/2023 - Last month, Avertium published a flash notice regarding a critical heap-based overflow vulnerability (CVE-2023-27997) found in Fortinet iOS and FortiProxy SSL-VPN. The vulnerability could allow an attacker to interfere via the VPN, even if MFA is enabled. Despite the release of updates by Fortinet, over 300,000 FortiGate firewall appliances remain vulnerable and accessible through the public internet.
During an investigation by Bishop Fox researchers, it was discovered that many of the exposed FortiGate devices had not received an update for the past eight years, with some of them running end-of-life software such as FortiOS 6. Now, the exposed devices are vulnerable to CVE-2023-27997 and other security flaws that have a publicly available proof-of-concept.
If successful, an unauthenticated attacker could execute remote code on vulnerable devices with the SSL VPN interface exposed on the web. Fortinet has provided updates and has released FortiOS firmware versions:
Now that a PoC is publicly available, it is highly recommended that you patch your devices immediately, as CVE-2023-27997 now has a CVSS score of 9.8. Currently, there are no new updates from Fortinet regarding the vulnerability. As a result, the same recommendations provided in Avertium's original flash notice still apply.
overview
A critical heap-based buffer overflow vulnerability (CVE-2023-27997) was found in Fortinet iOS and FortiProxy SSL-VPN. According to the cybersecurity firm Olympe Cyberdefense, the vulnerability could allow an attacker to interfere via the VPN, even if MFA is enabled.
The impacted products are as follows:
At least
At least
Fortinet released an advisory last night acknowledging the vulnerability, but security researchers suspect that the company quietly patched it as patches were released before the advisory was put out. Once reports surfaced about CVE-2023-27997, Fortinet shared the following statement with several news outlets.
“Timely and ongoing communications with our customers is a key component in our efforts to best protect and secure their organization. There are instances where confidential advance customer communications can include early warning on Advisories to enable customers to further strengthen their security posture, prior to the Advisory being publicly released to a broader audience. This process follows best practices for responsible disclosure to ensure our customers have the timely information they need to help them make informed risk-based decisions. For more on Fortinet's responsible disclosure process, visit the Fortinet Product Security Incident Response Team (PSIRT) page: https://www.fortiguard.com/psirt_policy.”
CVE-2023-27997 has not yet been exploited, but the issue is urgent as the vulnerability has a CVSS score of 9.2 and is likely to be promptly exploited once threat actors discover and analyze it. Being widely recognized as leading firewall and VPN devices in the market, Fortinet devices have gained significant popularity, making them a prime target for attacks.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2023-27997. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
SUPPORTING DOCUMENTATION
CVE - CVE-2023-27997 (mitre.org)
Fortinet FortiGate VPN-SSL | Olympus Cyberdefense (olympecyberdefense.fr)
Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now (bleepingcomputer.com)
Critical RCE Flaw Discovered in Fortinet FortiGate Firewalls - Patch Now! (thehackernews.com)
300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug (bleepingcomputer.com)