A limited number of users in government, manufacturing, and critical infrastructure sectors may have fallen victim to a flaw in Fortinet’s FortiOS SSL-VPN. The company has since issued a fix for the vulnerability, known as CVE-2023-27997/FG-IR-23-097, which it rates as critical. Fortinet is urging its customers to apply the fix as they continue to monitor the situation.
Exploitation of this flaw can lead to data loss, OS and file corruption, making it essential for affected customers to update their systems. Fortinet advises all customers with SSL-VPN enabled to take immediate action and upgrade to the most recent firmware release. Even for those not using SSL-VPN, Fortinet still recommends upgrading to mitigate any potential risks.
The vulnerability, which is a heap-based buffer overflow pre-authentication vulnerability, affects both FortiOS and FortiProxy SSL-VPN. It allows unauthenticated attackers to gain remote code execution (RCE) through maliciously crafted requests. Fortinet has released patches for FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.
The discovery of this flaw came about during an audit of Fortinet’s SSL-VPN platform. The audit was initiated after the exploitation of another vulnerability, CVE-2022-42475, which was a zero-day bug at the time of its discovery in January. A responsible disclosure from a third-party researcher combined with the audit led to the identification and remediation of the issues in the current firmware releases.
While Fortinet has not conclusively linked CVE-2023-27997 to the Volt Typhoon campaign that targeted US critical infrastructure, the company does not discount its use in the campaign. Fortinet expects threat actors, including those behind the Volt Typhoon campaign, to continue exploiting unpatched vulnerabilities in widely used software and devices.
The Volt Typhoon campaign, discovered by Microsoft, involves China-sponsored threat actors gaining persistent access within telecom networks and other critical infrastructure targets in the US. These attackers initially used CVE-2022-40684, an authentication bypass vulnerability in Fortinet FortiOS and FortiProxy, to gain access. Internet-facing Fortinet devices are popular targets for threat actors aiming to infiltrate enterprise networks. As part of their research, Fortinet researchers found admin accounts named “fortinet-tech-support” and “fortigate-tech-support” in customer devices related to the Volt Typhoon campaign.
In addition to patching, Fortinet suggests other mitigations for affected organizations. One recommendation is to review systems for evidence of exploitation of previous Fortinet vulnerabilities, such as the one used in the Volt Typhoon campaign. Minimizing the attack surface by disabling unused features and managing devices out-of-band wherever possible can also help companies avoid being targeted by attacks that exploit existing vulnerabilities.