Fortigate SSL-VPN Remote Code Execution Vulnerability (CVE-2023-27997)

It's important that organizations deploy last week's "Patch Tuesday" patches as soon as possible. These patches include several critical, high, and important severity vulnerabilities, but more importantly, it addresses 6 vulnerabilities that are known to be under active exploitation by threat actors "in the wild".

Security Advisory Notice:
Fortigate SSL-VPN Remote Code Execution Vulnerability (CVE-2023-27997)

Affected Software / System

This advisory specifically applies to the following Fortinet products:

• All FortiGate devices running FortiOS with SSL-VPN enabled are potentially at risk.

CVE (if applicable)

• CVE-2023-27997

Type

Remote Code Execution Vulnerability that would allow a hostile agent to interfere via the VPN, even if the MFA is activated.

Exploit Status: 

There are currently no confirmed instances of exploitation “in the wild”. However, further weaponization and exploitation is imminent. 

Rating

CVE-2023-27997
CVSSv3 score:  (Pending)
Severity: Critical

Vulnerability Summary

On June 12th, 2023, Olympe CyberDefense, a France-based cyber threat intelligence vendor, posted a security alert on their website about a critical security vulnerability in FortiOS ssl-vpn. The official PRIST Advisory from FortiGaurd Labs has not yet been published but is expected to be officially disclosed on Tuesday, June 13th, 2023. 

According to an advisory by beyondmachines.net, “The security fixes were included in the FortiOS firmware versions which were released on Friday, 9th of June. Fixed versions of FortiOS are:

• 6.0.17
• 6.2.15
• 6.4.13
• 7.0.12
• 7.2.5

The firmware release notes do not explicitly mention the RCE vulnerability, but security professionals indicated that these updates silently addressed the issue.”

Impact

This RCE vulnerability can allow an unauthenticated attacker to execute arbitrary code via remote devices and could allow the execution of other malicious artifacts.

Once a targeted system is compromised, there is a high risk of an organization's infrastructure backups being corrupted and/or ransomed, as well as a risk of lateral movement by the threat actor.

Mitigations

For clients who can not immediately patch vulnerable systems:

• Disable SSL-VPN on all Fortinet Devices. Specific firewall rules and steps to disable ssl-vpn can be found here.

For clients who can immediately patch vulnerable systems:

• Upgrade FortiOS to the latest version as soon as possible.

Ingalls MDR Clients Protections:

The Ingalls CTI team is actively engaged in hunting for any of the known indications of compromise at this time and will continue to closely monitor and develop additional detections as they become available. Please notify your assigned Primary Analyst if you suspect that your organization may be breached or require additional threat hunting and analysis.

Ingalls Recommends the Following Actions:

Implement the above mitigation actions on every affected Fortinet appliance in your environment and roll out the latest patches as soon as possible.