During a red team assessment for a client, Charles Fol and Dany Bach from LEXFO, discovered a heap overflow bug in Fortigate’s SSL VPN that can be exploited to achieve remote code execution on Fortigate instances. This vulnerability is reachable without authentication, and can be used to execute arbitrary code on vulnerable systems, which could lead to a complete compromise of the system.
On June 13th, CVE-2023-27997 was assigned to this vulnerability with a Critical CVSS of 9.2. The heap overflow bug is located directly on the web interface that allows users to authenticate to the VPN. Only the specific versions listed below are impacted by this bug. CVE-2023-27997 follows a long string of Fortinet vulnerabilities disclosed since January 2023 with CVE-2022-42475.
|FortiOS-6K7K version 7.0.10||FortiProxy version 7.2.0 through 7.2.3||FortiOS version 7.2.0 through 7.2.4|
|FortiOS-6K7K version 7.0.5||FortiProxy version 7.0.0 through 7.0.9|
|FortiOS-6K7K version 6.4.12||FortiProxy version 2.0.0 through 2.0.12||FortiOS version 7.0.0 through 7.0.11|
|FortiOS-6K7K version 6.4.10||FortiProxy 1.2 all versions||FortiOS version 6.4.0 through 6.4.12|
|FortiOS-6K7K version 6.4.8||FortiProxy 1.1 all versions||FortiOS version 6.2.0 through 6.2.13|
|FortiOS-6K7K version 6.4.6||FortiOS version 6.0.0 through 6.0.16|
|FortiOS-6K7K version 6.4.2|
|FortiOS-6K7K version 6.2.9 through 6.2.13|
|FortiOS-6K7K version 6.2.6 through 6.2.7|
|FortiOS-6K7K version 6.2.4|
|FortiOS-6K7K version 6.0.12 through 6.0.16|
|FortiOS-6K7K version 6.0.10|
With Fortinet flaws emerging as a lucrative attack vector for threat actors in recent years, Fortigate customers are advised to update their firmware to the latest version as soon as possible. There have not been reports of this specific vulnerability being widely exploited, however we do expect threat actors to leverage this vulnerability soon as there are more than 210,000 devices with the Fortigate SSL VPN exposed to the Internet as of June 12th.
As of June 13, there are no known network IOCs specific to exploitation of this vulnerability.
If upgrading to the latest firmware is not possible immediately, customers are advised to immediately disable SSL-VPN until such a time that upgrading is possible.
If you are a current Centripetal and FortiGate client, please contact [email protected].
Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact us.