Fortinet issues patches for FortiOS RCE bug that "may have been exploited"
Head of Hacking
Fortinet has issued an advisory recommending updates for its FortiGate products to address a critical security vulnerability that allows remote code execution (RCE) without authentication in its SSL VPN appliances.
The vulnerability is identified as CVE-2023-27997 and has a CVSS score of 9.2.
The flaw is considered to have been exploited in a limited number of attacks, mainly targeting government, manufacturing, and critical infrastructure sectors. Fortinet said that the vulnerability “may have been exploited in a limited number of cases.” but did not offer more information.
Shodan, a search engine for internet-connected devices, reveals that there are approximately 250,000 accessible Fortinet firewalls worldwide. Considering that this vulnerability affects all previous versions, it is highly likely that a substantial portion of these firewalls are currently susceptible to attacks.
How easy is it to exploit CVE-2023-27997?
"Exploiting this particular vulnerability, a heap-based buffer overflow, is generally considered challenging, and there are currently no publicly available exploits. Achieving complete Remote Code Execution (RCE) may not be widespread among most attackers unless they are advanced persistent threat (APT) groups."
Olivier Beg, 2023
While Fortinet hasn't explicitly linked this vulnerability (FG-IR-23-097) to the Volt Typhoon campaign, the company acknowledges the potential for various threat actors to exploit the flaw. If an attacker possesses an appropriate exploit, taking advantage of this vulnerability becomes relatively straightforward. Since the flaw can be exploited remotely and without authentication.
"This critical vulnerability is present in the publicly accessible web interface used for VPN authentication by the FortiGate firewall. The payload is transmitted via the "enc" parameter as either GET or POST requests to the paths "/remote/hostcheck_validate" or "/remote/logincheck"."
Olivier Beg, 2023
Exploiting this vulnerability could potentially grant threat actors the ability to disrupt the VPN's functionality, even when Multi-Factor Authentication (MFA) is enabled.
Furthermore, threat actors may leverage compromised routers, firewalls, and VPN appliances from different vendors to camouflage their activities within legitimate network traffic.
How to identify if you are vulnerable?
The affected FortiOS versions include:
- FortiOS-6K7K version 7.0.10
- FortiOS-6K7K version 7.0.5
- FortiOS-6K7K version 6.4.12
- FortiOS-6K7K version 6.4.10
- FortiOS-6K7K version 6.4.8
- FortiOS-6K7K version 6.4.6
- FortiOS-6K7K version 6.4.2
- FortiOS-6K7K versions 6.2.9 to 6.2.13
- FortiOS-6K7K versions 6.2.6 to 6.2.7
- FortiOS-6K7K version 6.2.4
- FortiOS-6K7K versions 6.0.12 to 6.0.16
- FortiOS-6K7K version 6.0.10
- FortiProxy versions 7.2.0 to 7.2.3
- FortiProxy versions 7.0.0 to 7.0.9
- FortiProxy versions 2.0.0 to 2.0.12
- FortiProxy 1.2 all versions
- FortiProxy 1.1 all versions
- FortiOS versions 7.2.0 to 7.2.4
- FortiOS versions 7.0.0 to 7.0.11
- FortiOS versions 6.4.0 to 6.4.12
- FortiOS versions 6.2.0 to 6.2.13
- FortiOS versions 6.0.0 to 6.0.16
Upgrading to the latest firmware release is strongly recommended for those using SSL-VPN. Even for those not using SSL-VPN, Fortinet still advises upgrading to ensure overall security. If upgrading is not possible, SSL-VPN needs to be disabled since that is the affected part.