Fortinet urges to patch the critical RCE flaw CVE-2023-27997 in Fortigate firewalls

Fortinet addressed a new critical flaw, tracked as CVE-2023-27997, in FortiOS and FortiProxy that is likely exploited in a limited number of attacks.

Fortinet has finally published an official advisory about the critical vulnerability, tracked as CVE-2023-27997 (CVSS score: 9.2), impacting FortiOS and FortiProxy.

“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory.

The vulnerability is a heap-based buffer overflow issue and according to the vendor it may have been exploited in a limited number of attacks aimed at government, manufacturing, and critical infrastructure sectors.

“Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation.” states the report published by Fortinet. “For this reason, if the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release. If the customer is not operating SSL-VPN the risk of this issue is mitigated – however, Fortinet still recommends upgrading.”

A remote attacker can trigger the vulnerability to execute arbitrary code or commands by sending specifically crafted requests to vulnerable devices.

The vulnerability was reported to Fortinet by the researcher Charles Fol and Dany Bach (DDXhunter) from Lexfo Security. The researcher describes the issue as a reachable pre-authentication that impacts every SSL VPN appliance.

The issue impacts at least:

FortiOS-6K7K version 7.0.10
FortiOS-6K7K version 7.0.5
FortiOS-6K7K version 6.4.12
FortiOS-6K7K version 6.4.10
FortiOS-6K7K version 6.4.8
FortiOS-6K7K version 6.4.6
FortiOS-6K7K version 6.4.2
FortiOS-6K7K version 6.2.9 through 6.2.13
FortiOS-6K7K version 6.2.6 through 6.2.7
FortiOS-6K7K version 6.2.4
FortiOS-6K7K version 6.0.12 through 6.0.16
FortiOS-6K7K version 6.0.10
At least
FortiProxy version 7.2.0 through 7.2.3
FortiProxy version 7.0.0 through 7.0.9
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
At least
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.11
FortiOS version 6.4.0 through 6.4.12
FortiOS version 6.2.0 through 6.2.13
FortiOS version 6.0.0 through 6.0.16

BleepingComputer reported that searching for Fortigate firewalls exposed online there are more than 250K installs worldwide, most of them in the US.

The company is not explicitly linking the FG-IR-23-097 to the Volt Typhoon campaign, however, Fortinet believes that all threat actors, including the Volt Typhoon APT, can start exploiting the above issue.

Fortinet urges customers to immediately patch their installs.

Below are the actions recommended by the company:

• Review your systems for evidence of exploit of previous vulnerabilities e.g. FG-IR-22-377 / CVE-2022-40684
• Maintain good cyber hygiene and follow vendor patching recommendations
• Follow hardening recommendations, e.g., FortiOS 7.2.0 Hardening Guide
• Minimize the attack surface by disabling unused features and managing devices via an out-of-band method wherever possible

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2023-27997)