Fortinet patches critical FortiGate vulnerability that can be exploited by an unauthenticated attacker for remote code execution, according to the researchers who reported the flaw to the vendor.
Today, Fortinet published a CVSS Critical PSIRT Advisory (FG-IR-23-097 / CVE-2023-27997) along with several other SSL-VPN related fixes. This blog adds context to that advisory, providing our customers with additional details to help them make informed, risk-based decisions, and provides our perspective relative to recent events involving malicious actor activity.
The following write-up details our initial investigation into the incident that led to the discovery of this vulnerability and additional IoCs identified during our ongoing analysis.
Incident Analysis
Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023—where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild—the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module as part of our commitment to product security and integrity. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of certain issues that have been remediated in the current firmware releases.
Incident ID | NVD CVE | Product | Severity | Description |
FortiOS | 9.2 (Critical) | Heap buffer overflow in SSL-VPN pre-authentication | ||
FortiOS | 7.3 (High) | Null pointer de-reference in SSLVPNd | ||
FortiOS | 7.1 (High) | FortiOS – Out-of-bound-write in SSLVPNd | ||
FortiOS | 8.3 (High) | Format String Bug in Fclicense daemon | ||
FortiOS | 6.4 (Medium) | Null pointer de-reference in SSLVPNd proxy endpoint | ||
FortiOS | 4.1 (Medium) | Open redirect in SSLVPNd |
Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation.
For this reason, if the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release. If the customer is not operating SSL-VPN the risk of this issue is mitigated – however, Fortinet still recommends upgrading.
Recommended Actions
In addition to monitoring Security Advisories and the immediate patching of systems, Fortinet strongly recommends the following:
- Review your systems for evidence of exploit of previous vulnerabilities e.g. FG-IR-22-377 / CVE-2022-40684
- Maintain good cyber hygiene and follow vendor patching recommendations
- Follow hardening recommendations, e.g., FortiOS 7.2.0 Hardening Guide
- Minimize the attack surface by disabling unused features and managing devices via an out-of-band method wherever possible