www.belgium.be Logo of the federal government

Warning: Remote code execution vulnerability discovered in all FortiGate devices running FortiOS with SSL-VPN enabled, Patch Immediately!

Reference: 
Advisory #2023-68
Version: 
1.0
Affected software: 
FortiGate devices running FortiOS with SSL-VPN enabled
Type: 
Unauthenticated Remote Code Execution
CVE/CVSS: 

CVE-2023-27997 CVSS 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Sources

https://nvd.nist.gov/vuln/detail/CVE-2023-27997

Risks

An unauthenticated remote attacker could gain remote code execution capabilities on a vulnerable FortiOS appliance even if multi-factor authentication is enabled.

Previous similar SSL-VPN flaws in FortiOS were heavily exploited by Nation State actors and Cybercriminals in the past to gain a foothold in the network.

CVE-2023-27997 has a high impact on Confidentiality, Integrity, and availability. Immediate action is required!

Fortinet will publish more details on CVE-2023-27997 on the 13th of June, this advisory will be updated accordingly.

Description

Fortinet did not officially communicate about this vulnerability to give customers time to patch and take the necessary actions.

The attack vector is network and successful exploitation of the vulnerability allows an unauthenticated attacker to get RCE-access on the FortiOS appliance.

The exploit code for this vulnerability has not publicly been observed but some actors claim they have already an exploit to abuse this vulnerability.

It is extremely important to perform the following recommended actions as soon as possible!

Recommended Actions

The Centre for Cyber security Belgium strongly recommends system administrators to take the following actions:

  • Update FortiOS to one of the following versions:
    • 6.0.17
    • 6.2.15
    • 6.4.13
    • 7.0.12
    • 7.2.5
  • Check the FortiOS logs for any malicious actions e.g., creation of a new user.
  • Monitor the FortiOS device and its VPN connections closely to discover anomalies.
  • Monitor your network traffic to discover any malicious traffic within your network.

References

https://olympecyberdefense.fr/1193-2/