CVE-2023-27997: Critical Fortinet Fortigate SSL-VPN RCE Vulnerability

Share :

On 12 June 2023, Fortinet released a security advisory and blog post on CVE-2023-27997, stating that the vulnerability is caused by a heap-based buffer overflow, allowing threat actors to achieve RCE on several versions of FortiOS and FortiProxy SSL-VPN products. Based on Fortinet’s current investigation, threat actors may have exploited the vulnerability in a limited number of cases. Technical details on the exploitation of this vulnerability have now been shared publicly and the possibility of a proof of concept (PoC) may be available in the near future.  

Note: If your organisation does not have SSL-VPN enabled, the risk posed by this vulnerability is mitigated.  

Updated List of Affected Products 
FortiOS-6K7K Versions  FortiProxy Versions  FortiOS Versions 

7.0.5, 7.0.10, 6.4.8, 6.4.6, 6.4.2, 6.4.12, 6.4.10, 6.2.9, 6.2.7, 6.2.6, 6.2.4, 6.2.13, 6.2.12, 6.2.11, 6.2.10, 6.0.16, 6.0.15, 6.0.14, 6.0.13, 6.0.12, 6.0.10 

7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 2.0.9, 2.0.8, 2.0.7, 2.0.6, 2.0.5, 2.0.4, 2.0.3, 2.0.2, 2.0.12, 2.0.11, 2.0.10, 2.0.1, 2.0.0, 1.2.9, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.13, 1.2.12, 1.2.11, 1.2.10, 1.2.1, 1.2.0, 1.1.6, 1.1.5, 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0 

7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.11, 7.0.10, 7.0.1, 7.0.0, 6.4.9, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.12, 6.4.11, 6.4.10, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.13, 6.2.12, 6.2.11, 6.2.10, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.16, 6.0.15, 6.0.14, 6.0.13, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0 

Arctic Wolf is actively monitoring intelligence sources for campaigns linked to active exploitation of this vulnerability. We are also monitoring for the most relevant indicators of compromise and TTPs associated with this vulnerability and any positive matches will be escalated directly to customers as incidents. 

Arctic Wolf will follow its standard internal processes to assess the impact of this newly reported vulnerability within its own environment and if impacted, will address it within the established remediation timelines in our Security Patching Policy.  

Recommendations for CVE-2023-27997

Please follow your organisation’s patching and testing guidelines to avoid any operational impact  

Recommendation #1: Upgrade to the Most Recent Firmware Release  

Arctic Wolf strongly recommends updating to one of the following versions outlined in the table below to remediate the newly discovered vulnerability. 

Solutions 
FortiOS-6K7K Versions  FortiProxy Versions  FortiOS Versions 
  • FortiOS-6K7K version 7.0.12 or above. 
  • FortiOS-6K7K version 6.4.13 or above. 
  • FortiOS-6K7K version 6.2.15 or above. 
  • FortiOS-6K7K version 6.0.17 or above. 
  • FortiProxy version 7.2.4 or above. 
  • FortiProxy version 7.0.10 or above. 
  • FortiOS version 7.4.0 or above. 
  • FortiOS version 7.2.5 or above. 
  • FortiOS version 7.0.12 or above. 
  • FortiOS version 6.4.13 or above. 
  • FortiOS version 6.2.14 or above. 
  • FortiOS version 6.0.17 or above. 

 

Recommendation #2: Disable SSL-VPN on Impacted Devices 

If you are unable to upgrade to the versions above, Fortinet recommends disabling SSL-VPN functionality to mitigate the vulnerability.  

References 

On 9 June 2023, security researchers from Olympe CyberDefense published a blog stating that they responsibly disclosed a critical vulnerability in SSL-VPN firewalls to Fortinet. This vulnerability, CVE-2023-27997, is a critical, pre-authentication RCE vulnerability that impacts all versions of Fortinet SSL-VPN firewalls, even if multi-factor authentication (MFA) is enabled. The security researchers responsibly disclosed the vulnerability to Fortinet. Although Fortinet has not published a security advisory for CVE-2023-27997 yet, the vendor has released firmware updates to remediate the vulnerability. Based on the advisory published by Olympe CyberDefense, additional information about the vulnerability will be published on 13 June 2023.  

Fortinet has provided advance communication to their customers regarding this vulnerability prior to disclosure. While no evidence of exploitation in the wild has been observed, threat actors have historically exploited Fortinet SSL-VPN vulnerabilities to obtain initial access shortly after details of such vulnerabilities were published.  

Recommendation for CVE-2023-27997

Apply the Latest Security Patches Released by Fortinet 

Arctic Wolf strongly recommends updating to the following versions outlined in the table below to remediate the newly discovered vulnerability. 

According to Olympe CyberDefense and the Australian Cyber Security Centre (ACSC), the following versions contain a patch remediating CVE-2023-27997. 

Fixed Versions 
7.0.12  
7.2.5  
6.4.13  
6.2.15 
6.0.17 

 

Please follow your organisation’s patching and testing guidelines to avoid any operational impact. 

References 

James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories