Fortinet CVE-2023-27997: Impact and Mitigation Techniques

On June 9th, Fortinet began distributing patches for a new critical vulnerability affecting Fortigate SSL VPN firewalls running on FortiOS or FortiProxy. While Fortinet has not yet released detailed information about the nature of the vulnerability, they have assigned a CVSSv3 score of 9.2 and classified it as an unauthenticated remote code execution (RCE) vulnerability based on a heap buffer overflow. Notably, even dual-factor authentication does not help in mitigating this vulnerability.

Impact and affected versions

Over 200,000 Fortigate firewall instances are reachable from the internet, most likely vulnerable. Although there have been reports indicating that this CVE might have been exploited in a limited number of cases, the likelihood of further exploitation remains high.

According to the official Fortinet advisory, the following are the affected versions of FortiOS and FortiProxy:

FortiOS-6K7K	FortiOS	FortiProxy
FortiOS-6K7K version 7.0.10 FortiOS-6K7K version 7.0.5 FortiOS-6K7K version 6.4.12 FortiOS-6K7K version 6.4.10 FortiOS-6K7K version 6.4.8 FortiOS-6K7K version 6.4.6 FortiOS-6K7K version 6.4.2 FortiOS-6K7K version 6.2.9 through 6.2.13 FortiOS-6K7K version 6.2.6 through 6.2.7 FortiOS-6K7K version 6.2.4 FortiOS-6K7K version 6.0.12 through 6.0.16	FortiOS-6K7K version 6.0.10 FortiOS version 7.2.0 through 7.2.4 FortiOS version 7.0.0 through 7.0.11 FortiOS version 6.4.0 through 6.4.12 FortiOS version 6.2.0 through 6.2.13 FortiOS version 6.0.0 through 6.0.16	FortiProxy version 7.2.0 through 7.2.3 FortiProxy version 7.0.0 through 7.0.9 FortiProxy version 2.0.0 through 2.0.12 FortiProxy 1.2 all versions FortiProxy 1.1 all versions

Mitigation

According to the official Fortinet analysis of this vulnerability, the recommended actions are:

• Upgrade to the latest version
• If you can’t upgrade, disable your SSL-VPN appliances
• Check your systems for signs of exploitation of previous vulnerabilities, such as FG-IR-22-377 / CVE-2022-40684
• Follow the hardening guidelines provided in the FortiOS 7.2.0 Hardening Guide
• Disabling unused features and managing devices through an out-of-band method whenever feasible reduces the potential for attacks

The Attack Surface Intelligence approach

As soon as we received notification of this new vulnerability, our Attack Surface Quick Reaction Team initiated efforts to locate as many FortiOS and FortiProxy appliances as possible. We utilized various identifiers, including the fingerprinting of the server field and favicons, to identify these appliances. While we could only sometimes determine the precise version of the assets, we erred on the side of caution and chose to inform every customer rather than risk leaving anyone uninformed.

On June 12, all Attack Surface Intelligence customers potentially owning a Fortinet SSL VPN appliance were promptly notified via email, ensuring timely assistance and support within a few hours of the vulnerability's release to provide necessary information and guidance to address the situation effectively. Additionally, Recorded Future Vulnerability Intelligence users are provided additional resources and insights for remediation.

Summary

This blog post highlights a critical vulnerability in Fortigate SSL VPN firewalls, which is currently undergoing patching. Although limited information is available, this unauthenticated remote code execution (RCE) vulnerability poses a significant risk to over 200,000 exposed firewalls. As in previous instances, Attack Surface Intelligence again took the lead in identifying potentially affected software and notifying impacted customers through email, enabling them to address the vulnerability and safeguard their digital assets swiftly.