On 12 June 2023, Fortinet released a security advisory and blog post on CVE-2023-27997, stating that the vulnerability is caused by a heap-based buffer overflow, allowing threat actors to achieve RCE on several versions of FortiOS and FortiProxy SSL-VPN products. Based on Fortinet’s current investigation, threat actors may have exploited the vulnerability in a limited number of cases. Technical details on the exploitation of this vulnerability have now been shared publicly and the possibility of a proof of concept (PoC) may be available in the near future.
Note: If your organization does not have SSL-VPN enabled, the risk posed by this vulnerability is mitigated.
| Updated List of Affected Products | ||
| FortiOS-6K7K Versions | FortiProxy Versions | FortiOS Versions |
|
7.0.5, 7.0.10, 6.4.8, 6.4.6, 6.4.2, 6.4.12, 6.4.10, 6.2.9, 6.2.7, 6.2.6, 6.2.4, 6.2.13, 6.2.12, 6.2.11, 6.2.10, 6.0.16, 6.0.15, 6.0.14, 6.0.13, 6.0.12, 6.0.10 |
7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 2.0.9, 2.0.8, 2.0.7, 2.0.6, 2.0.5, 2.0.4, 2.0.3, 2.0.2, 2.0.12, 2.0.11, 2.0.10, 2.0.1, 2.0.0, 1.2.9, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.13, 1.2.12, 1.2.11, 1.2.10, 1.2.1, 1.2.0, 1.1.6, 1.1.5, 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0 |
7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.11, 7.0.10, 7.0.1, 7.0.0, 6.4.9, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.12, 6.4.11, 6.4.10, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.13, 6.2.12, 6.2.11, 6.2.10, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.16, 6.0.15, 6.0.14, 6.0.13, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0 |
Arctic Wolf is actively monitoring intelligence sources for campaigns linked to active exploitation of this vulnerability. We are also monitoring for the most relevant indicators of compromise and TTPs associated with this vulnerability and any positive matches will be escalated directly to customers as incidents.
Arctic Wolf will follow its standard internal processes to assess the impact of this newly reported vulnerability within its own environment and if impacted, will address it within the established remediation timelines in our Security Patching Policy.
Recommendations
Please follow your organization’s patching and testing guidelines to avoid any operational impact
Recommendation #1: Upgrade to the Most Recent Firmware Release
Arctic Wolf strongly recommends updating to one of the following versions outlined in the table below to remediate the newly discovered vulnerability.
| Solutions | ||
| FortiOS-6K7K Versions | FortiProxy Versions | FortiOS Versions |
|
|
|
Recommendation #2: Disable SSL-VPN on Impacted Devices
If you are unable to upgrade to the versions above, Fortinet recommends disabling SSL-VPN functionality to mitigate the vulnerability.
References
On 9 June 2023, security researchers from Olympe CyberDefense published a blog stating that they responsibly disclosed a critical vulnerability in SSL-VPN firewalls to Fortinet. This vulnerability, CVE-2023-27997, is a critical, pre-authentication RCE vulnerability that impacts all versions of Fortinet SSL-VPN firewalls, even if multi-factor authentication (MFA) is enabled. The security researchers responsibly disclosed the vulnerability to Fortinet. Although Fortinet has not published a security advisory for CVE-2023-27997 yet, the vendor has released firmware updates to remediate the vulnerability. Based on the advisory published by Olympe CyberDefense, additional information about the vulnerability will be published on 13 June 2023.
Fortinet has provided advance communication to their customers regarding this vulnerability prior to disclosure. While no evidence of exploitation in the wild has been observed, threat actors have historically exploited Fortinet SSL-VPN vulnerabilities to obtain initial access shortly after details of such vulnerabilities were published.
Recommendation for CVE-2023-27997
Apply the Latest Security Patches Released by Fortinet
Arctic Wolf strongly recommends updating to the following versions outlined in the table below to remediate the newly discovered vulnerability.
According to Olympe CyberDefense and the Australian Cyber Security Centre (ACSC), the following versions contain a patch remediating CVE-2023-27997.
| Fixed Versions |
| 7.0.12 |
| 7.2.5 |
| 6.4.13 |
| 6.2.15 |
| 6.0.17 |
Please follow your organisation’s patching and testing guidelines to avoid any operational impact.
