Report by: Hazem Mohamed
More information about:
| CVE-2023-27997 |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27997
Summary
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
Workaround:
Disable SSL-VPN.
Affected Products
At least
FortiOS-6K7K version 7.0.10
FortiOS-6K7K version 7.0.5
FortiOS-6K7K version 6.4.12
FortiOS-6K7K version 6.4.10
FortiOS-6K7K version 6.4.8
FortiOS-6K7K version 6.4.6
FortiOS-6K7K version 6.4.2
FortiOS-6K7K version 6.2.9 through 6.2.13
FortiOS-6K7K version 6.2.6 through 6.2.7
FortiOS-6K7K version 6.2.4
FortiOS-6K7K version 6.0.12 through 6.0.16
FortiOS-6K7K version 6.0.10
At least
FortiProxy version 7.2.0 through 7.2.3
FortiProxy version 7.0.0 through 7.0.9
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
At least
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.11
FortiOS version 6.4.0 through 6.4.12
FortiOS version 6.2.0 through 6.2.13
FortiOS version 6.0.0 through 6.0.16
Solutions
Please upgrade to FortiOS-6K7K version 7.0.12 or above
Please upgrade to FortiOS-6K7K version 6.4.13 or above
Please upgrade to FortiOS-6K7K version 6.2.15 or above
Please upgrade to FortiOS-6K7K version 6.0.17 or above
Please upgrade to FortiProxy version 7.2.4 or above
Please upgrade to FortiProxy version 7.0.10 or above
Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.5 or above
Please upgrade to FortiOS version 7.0.12 or above
Please upgrade to FortiOS version 6.4.13 or above
Please upgrade to FortiOS version 6.2.14 or above
Please upgrade to FortiOS version 6.0.17 or above
Acknowledgement
Fortinet is pleased to thank Charles Fol and Dany Bach from LEXFO for bringing this issue to our attention under responsible disclosure.
Tenable Analysis
CVE-2023-27997 is a heap-based buffer overflow vulnerability in the secure socket layer virtual private network (SSL VPN) functionality in FortiOS and FortiProxy in Fortinet devices including its FortiGate Next Generation Firewalls (NGFW). An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted requests to a vulnerable device. Successful exploitation would grant an attacker the ability to execute arbitrary code on the vulnerable device.
The vulnerability was discovered by security researchers Charles Fol and Dany Bach of LEXFO. On June 11, Fol tweeted about the availability of patches for the flaw, adding that it is “reachable pre-authentication, on every SSL VPN appliance.”
#Fortinet published a patch for CVE-2023-27997, the Remote Code Execution vulnerability @DDXhunter and I reported. This is reachable pre-authentication, on every SSL VPN appliance. Patch your #Fortigate. Details at a later time. #xortigate
— Charles Fol (@cfreal_) June 11, 2023
Fortinet has published a blog post providing additional information on CVE-2023-27997 as well as several other flaws that have been addressed as part of its recent firmware updates. In the blog, Fortinet notes that CVE-2023-27997 “may have been exploited in a limited number of cases.”
This disclosure is similar to past disclosures from Fortinet in October 2022 for CVE-2022-40684, a critical authentication bypass in FortiOS and FortiProxy, and December 2022 for CVE-2022-42475, a separate heap-based buffer overflow in FortiOS SSL VPNs.
CVE-2022-42475 was exploited in the wild by suspected Chinese threat actors to compromise a government entity in Europe and a managed service provider in Africa, while Fortinet says in its recent blog post about CVE-2023-27997 that CVE-2022-40684 was exploited by a recently discovered threat actor known as Volt Typhoon.
Nearly 260,000 Fortinet FortiGate firewalls are publicly accessible
According to a Shodan search query shared by BleepingComputer, there are nearly 260,000 Fortinet FortiGate firewalls that are publicly accessible. The United States tops the list with nearly 40,000 publicly accessible devices, followed by India (21,237) and Brazil (10,844).
References :
