Warning: Remote code execution vulnerability discovered in all FortiGate devices running FortiOS with SSL-VPN enabled, Patch Immediately!

Image
Decorative image
Publié : 12/06/2023

Reference:
Advisory #2023-68

Version:
2.0

Affected software:
FortiGate devices running FortiOS with SSL-VPN enabled

Type:
Unauthenticated Remote Code Execution

CVE/CVSS:
CVE-2023-27997 CVSS 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Sources

Fortinet - https://www.fortiguard.com/psirt/FG-IR-23-097

Risks


UPDATE 2025-04-08

An unauthenticated remote attacker could gain remote code execution capabilities on a vulnerable FortiOS appliance even if multi-factor authentication is enabled.

This vulnerability is actively exploited by threat actors, including by ransomware groups like RansomHub. Some threat intelligence companies also assess this vulnerability is actively exploited by state-sponsored groups for espionage purposes (https://www.tenable.com/blog/volt-typhoon-u-s-critical-infrastructure-targeted-by-state-sponsored-actors).

CVE-2023-27997 has a high impact on Confidentiality, Integrity, and availability. Immediate action is required!

Description

UPDATE 2025-04-08

CVE-2023-27997 is a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN. The vulnerability is a flaw in the SSL-VPN pre-authentication.

Successful exploitation could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Recommended Actions

The Centre for Cybersecurity Belgium strongly recommends system administrators to take the following actions:

Update FortiOS-6K7K to one of the following versions:

  • version 7.0.12 or above
  • version 6.4.13 or above
  • version 6.2.15 or above
  • version 6.0.17 or above

Update FortiProxy to one of the following versions:

  • version 7.2.4 or above
  • version 7.0.10 or above
  • version 2.0.13 or above

Update FortiOS to one of the following versions:

  • version 7.4.0 or above
  • version 7.2.5 or above
  • version 7.0.12 or above
  • version 6.4.13 or above
  • version 6.2.14 or above
  • version 6.0.17 or above

UPDATE 2025-04-08

Disabling SSL-VPN is a possible workaround, although it is recommended to upgrade to the latest version.

  • Check the FortiOS logs for any malicious actions e.g., creation of a new user.
  • Monitor the FortiOS device and its VPN connections closely to discover anomalies.
  • Monitor your network traffic to discover any malicious traffic within your network.

References

Fortinet - https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign

Fortinet - https://www.fortiguard.com/psirt/FG-IR-23-097