A critical remote code execution (RCE) vulnerability in Fortinet’s FortiGate SSL VPNs, which was disclosed and patched by the vendor in June 2023, has been found to affect a larger number of devices than initially estimated. Researchers at Bishop Fox have developed exploit code for the vulnerability and estimate that there are approximately 340,000 unpatched FortiGate devices that remain vulnerable to attack. This number is significantly higher than the 250,000 devices that were initially believed to be affected.
The vulnerability, known as CVE-2023-27997, is a heap-based buffer overflow vulnerability that affects multiple versions of FortiOS and FortiProxy SSL-VPN software. It allows remote attackers to execute arbitrary code on a vulnerable device and take complete control over it. Researchers from Lexfo have stated that the vulnerability affects every SSL VPN appliance running FortiOS.
Although Bishop Fox has not released the exploit code publicly, they have provided a GIF demonstrating its use on their blog post. According to Caleb Gross, the director of capability development at Bishop Fox, the exploit allows attackers to open an interactive shell that can be used to communicate with a compromised FortiGate device. Gross noted that the exploit runs much faster than the demo video shown by Lexfo, taking only about one second on a 64-bit device.
Fortinet released firmware updates addressing the vulnerability on June 12 and warned that it could be abused by threat actors like those behind the Volt Typhoon cyber-espionage campaign. The campaign, which primarily targeted US telecom companies and critical infrastructure organizations, has been known to exploit another Fortinet flaw (CVE-2022-40684) for initial access. Fortinet advised organizations not to underestimate the potential for threat actors to exploit CVE-2023-27997 as well.
The vulnerability in Fortinet’s FortiGate SSL VPNs is just one of many critical vulnerabilities that have been discovered in the company’s products. Firewalls and VPN appliances, like those from Fortinet, are popular targets for adversaries due to the access they provide to enterprise networks. The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued multiple advisories stressing the importance of promptly addressing vulnerabilities in network devices.
In June 2022, CISA issued an advisory warning about China-sponsored threat actors actively targeting unpatched vulnerabilities in network devices from various vendors, including Fortinet. Systems administrators are advised to patch vulnerabilities as quickly as possible, even though the process can be more complex for appliances that run application gateways. Timothy Morris, chief security adviser at Tanium, recommends backing up and restoring configurations to ensure they are working correctly.
Overall, organizations using Fortinet’s FortiGate SSL VPNs should take immediate steps to patch the vulnerability (CVE-2023-27997) to prevent potential exploitation by threat actors. Given the high level of interest in network devices by attackers, timely patching and regular vulnerability management should be prioritized to maintain a secure infrastructure.