Fortinet has released several versions of FortiOS, the OS/firmware powering its Fortigate firewalls and other devices, without mentioning that they include a fix for CVE-2023-27997, a remote code execution (RCE) flaw that does not require the attacker to be logged in to exploit it.
The vulnerability has been fixed in FortiOS versions 7.2.5, 7.0.12, 6.4.13, 6.2.15 and, apparently also in v6.0.17 (even though Fortinet officially stopped supporting the 6.0 branch last year).
Enterprise admins are advised to upgrade Fortigate devices as soon as possible – if the vulnerability is not already being exploited by attackers, it’s likely that it will soon be.
The exact nature of the vulnerability is currently (publicly) unknown. According to Olympe Cyberdefense, Fortinet will be releasing more details on June 13, 2023 (Tuesday).
They say that the vulnerability is critical, affects Fortigate firwall’s SSL VPN functionality, and may allow an attacker to “interfere via the VPN, even if MFA is activated.”
Lexfo security researcher Charles Fol, who along with colleague Dany Bach reported the flaw, says that CVE-2023-27997 allows RCE, is “reachable pre-authentication, on every SSL VPN appliance,” and that they will be releasing more details at a later time.
There is currently no mention of possible workarounds.
Unfortunately for enterprise defenders, threat actors can compare the newer versions of the OS with older ones to find what the patch does and, based on that information, develop a working exploit.
Also, Fortinet has been known to push out critical fixes without mentioning vulnerabilities – whether actively exploited or not. Enterprise admins should therefore move fast and implement the patch as soon as possible.
If the available update doesn’t show up in the device’s dashboard, rebooting it may make it show up. If not, manual download and installation is advised.
UPDATE (June 13, 2023, 08:20 a.m. ET):
Fortinet has published a security advisory for CVE-2023-27997, describing it as a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
In an accompanying blog post, the company said that the vulnerability “may have been exploited in a limited number of cases,” but does not offer more information.
Fortinet also pointed out that while they are not linking exploitation of this particular flaw to the Volt Typhoon threat actors (who have exploited FortiOS flaws in the past), they expect “all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices,” and advise IT admins to engage in “an aggressive patching campaign.”
Rapid7 says they also expect CVE-2023-27997 will be leveraged by attackers, but that “heap-based exploits are notoriously tricky, and it’s unlikely that we’ll see automated exploitation at scale.”
UPDATE (June 14, 2023, 03:40 a.m. ET):
The researchers who uncovered the vulnerability have shared technical details and a demo of its exploitation.