A critical vulnerability has been discovered in multiple Fortinet Fortigate devices with SSL VPN enabled. The vulnerability, CVE-2023-27997, is a heap-based buffer overflow bug that allows unauthenticated remote code execution (RCE) on the affected system. The flaw was discovered and reported by researchers @DDXhunter and Charles Fol (@cfreal_) .
This vulnerability is very serious, as it can compromise the security and integrity of the network protected by Fortigate devices. SSL VPNs are used to provide secure remote access to an organization’s network, but this flaw can potentially breach this secure channel and allow attackers to execute arbitrary code or commands on the device.
The vulnerability is also reachable pre-authentication, meaning that attackers do not need any credentials or privileges to exploit it. This increases the risk of exploitation by malicious actors who may target vulnerable devices exposed on the internet.
Public exploitation of CVE-2023-27997 has not been reported in the wild as of yet, and no known public exploit code for this vulnerability has been released.
Fortinet has issued patches for this vulnerability, which are included in versions 7.2.5, 7.0.12, 6.4.13, 6.2.15, and 6.0.17 of FortiOS firmware. Users are strongly advised to update their systems to these versions as soon as possible to prevent potential attacks.
Users should also review their network configurations and firewall rules to ensure that only authorized and trusted users can access the SSL VPN functionalities of Fortigate devices.
Fortigate users can check if their devices are vulnerable by using the following command on the CLI:
diagnose sys fortiguard-service status
If the output shows FortiOS Version: 7.2.5 or higher, 7.0.12 or higher, 6.4.13 or higher, 6.2.15 or higher, or 6.0.17 or higher, then the device is not vulnerable. If the output shows a lower version number, the device is vulnerable and must be patched.
Users can also use external tools such as Blumira's FREE Domaind Assessment or Nmap to scan their devices for open ports related to SSL VPN (such as 443 or 10443) and check the banner information for the FortiOS version number.
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.