Fortinet recently released updates for several products utilizing SSL-VPN functionalities after discovering a critical vulnerability. The major flaw discovered gives the ability to an attacker to perform an unauthenticated remote code execution on devices. Barracuda SOC recommends updating Fortinet products to the latest fixed versions.
What is the threat?
This vulnerability is currently logged as CVE-2023-27997 and is a heap-based buffer overflow vulnerability in FortiOS and FortiProxy. This security flaw can enable unauthenticated users to crash devices remotely and potentially execute code or commands. The vulnerability affects the SSL-VPN functionalities of Fortinet products, irrespective of authentication protocols, which play a critical role in providing secure remote access to an organization’s network. Currently, there is no confirmation whether this vulnerability has been exploited in the wild. Researchers Charles Fol and Dany Bach from LEXFO are credited with discovering and reporting this critical flaw to Fortinet.
Why is it noteworthy?
Fortinet is a security solutions company widely utilized across various sectors, including remote offices, small businesses, expansive campuses, and many others. The severity of the situation amplifies due to the vulnerability being reachable pre-authentication on every SSL-VPN appliance. The SSL-VPN functionality is critical to remote users securely connecting to resources within an organization. The exposure of such service can have devastating impacts on the affected system.
What is the exposure or risk?
As mentioned, the exploitation of CVE-2023-27997 can enable unauthenticated users to crash devices remotely and potentially execute code. This could lead to a compromise of the affected system’s integrity, availability, and confidentiality, ultimately putting the entire network at risk for the affected organization. Fortinet has released patches for this vulnerability and recommend upgrading to the following versions:
- FortiOS-6K7K version 7.0.12 or above
- FortiOS-6K7K version 6.4.13 or above
- FortiOS-6K7K version 6.2.15 or above
- FortiOS-6K7K version 6.0.17 or above
- FortiProxy version 7.2.4 or above
- FortiProxy version 7.0.10 or above
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.5 or above
- FortiOS version 7.0.12 or above
- FortiOS version 6.4.13 or above
- FortiOS version 6.2.14 or above
- FortiOS version 6.0.17 or above
What are the recommendations?
Barracuda SOC recommends the following actions to limit the impact of this remote code execution vulnerability:
- As a work-around, disable SSL-VPN.
- Apply the latest patches against the vulnerability provided by Fortinet.
- Continue to conduct proper cyber hygiene and best practices to further protect your organization.
- Stay up to date on the latest advisories from Fortinet.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2023/06/critical-rce-flaw-discovered-in.html
- https://olympecyberdefense.fr/1193-2/
- https://nvd.nist.gov/vuln/detail/CVE-2023-27997
- https://securityonline.info/cve-2023-27997-fortinet-fortigate-pre-auth-rce-vulnerability/
If you have any questions, please contact our Security Operations Center.
