On June 9, 2023, Fortinet silently patched a purported critical remote code execution (RCE) vulnerability in Fortigate SSL VPN firewalls. According to Lexfo Security’s Charles Fol, who discovered the vulnerability, the flaw is heap-based and reachable pre-authentication. According to reports, security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.
Fortinet published an advisory for CVE-2023-27997 on June 13, 2023. The company has a history of issuing security patches prior to disclosing critical vulnerabilities. Presumably, this policy is meant to give customers time to update their devices before threat actors exploit flaws, but in practice, it gives attackers a head start on attack development while keeping vulnerable organizations in the dark.
According to a June 14, 2023 update to the advisory, Fortinet is now aware of instances where this vulnerability has been exploited to download the config file from the targeted devices, and to add a malicious super_admin
account called fortigate-tech-support
:
# show system admin
edit "fortigate-tech-support"
set accprofile "super_admin"
set vdom "root"
set password ENC [...]
next
Fortinet device vulnerabilities are historically popular with attackers of all skill levels, though exploitability varies on a vuln-by-vuln basis. The U.S. government recently released a security bulletin that highlighted state-sponsored threat actors gaining access to networks via Fortigate devices. Fortinet vulnerabilities are also popular with initial access broker groups that sell access to potential victims’ networks to ransomware groups.
Per Fortinet’s advisory, “at least” the following products are affected:
FortiOS-6K7K version 7.0.10
FortiOS-6K7K version 7.0.5
FortiOS-6K7K version 6.4.12
FortiOS-6K7K version 6.4.10
FortiOS-6K7K version 6.4.8
FortiOS-6K7K version 6.4.6
FortiOS-6K7K version 6.4.2
FortiOS-6K7K version 6.2.9 through 6.2.13
FortiOS-6K7K version 6.2.6 through 6.2.7
FortiOS-6K7K version 6.2.4
FortiOS-6K7K version 6.0.12 through 6.0.16
FortiOS-6K7K version 6.0.10
FortiProxy version 7.2.0 through 7.2.3
FortiProxy version 7.0.0 through 7.0.9
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.11
FortiOS version 6.4.0 through 6.4.12
FortiOS version 6.2.0 through 6.2.13
FortiOS version 6.0.0 through 6.0.16
Update FortiOS firmware to:
FortiOS version 7.2.0 through 7.2.4
FortiOS-6K7K version 7.0.12 or above
FortiOS-6K7K version 6.4.13 or above
FortiOS-6K7K version 6.2.15 or above
FortiOS-6K7K version 6.0.17 or above
FortiProxy version 7.2.4 or above
FortiProxy version 7.0.10 or above
FortiOS version 7.4.0 or above
FortiOS version 7.2.5 or above
FortiOS version 7.0.12 or above
FortiOS version 6.4.13 or above
FortiOS version 6.2.14 or above
FortiOS version 6.0.17 or above
InsightVM and Nexpose customers can assess their exposure to CVE-2023-27997 with an authenticated vulnerability check available in today’s (June 12, 2023) content release.
July 13, 2023: Added affected products and remediation information from Fortinet’s July 13, 2023 CVE-2023-27997 advisory.
July 14, 2023: Added new information from Fortinet’s advisory about CVE-2023-27997 exploitation in the wild.