Urgent Fortinet Patch Addresses Critical Vulnerability in FortiGate Firewalls

A critical security flaw discovered in Fortinet’s FortiGate firewalls and FortiProxy SSL-VPN may expose users to a remote code execution (RCE) attack. This threat is particularly concerning as it’s pre-authentication, affecting every SSL VPN appliance, making it reachable without needing any form of user credentials.

The Vulnerability Explained

The vulnerability, officially tracked as CVE-2023-27997, is described as a heap-based buffer overflow flaw, a type of security breach that can be exploited by attackers to run arbitrary code or commands via carefully crafted requests. Cybersecurity companies like French firm Olympe Cyberdefense and Lexfo Security, whose researchers Charles Fol and Dany Bach discovered this flaw, have noted the vulnerability’s potential for a hostile agent to infiltrate systems via the VPN, even with Multi-Factor Authentication (MFA) activated.

While Fortinet is yet to release a detailed advisory, the company has been known to issue security patches before disclosing critical vulnerabilities to give customers time to update their systems. However, this practice may inadvertently provide attackers an advantage, as they can start developing attacks while organizations remain unaware of their vulnerabilities.

Impacted Products and Recommended Solutions

Several versions of FortiOS and FortiProxy SSL-VPN are affected, including but not limited to FortiOS-6K7K versions from 6.0.10 to 7.0.10 and FortiProxy versions from 1.1 to 7.2.3. Additionally, FortiOS versions 6.0.0 through 7.2.4 are also vulnerable to the flaw.

To mitigate this vulnerability, users are urged to disable SSL-VPN and upgrade to the patched versions of their software. These include FortiOS-6K7K version 7.0.12 or above, FortiOS-6K7K version 6.4.13 or above, FortiOS-6K7K version 6.2.15 or above, FortiOS-6K7K version 6.0.17 or above, and other respective versions for different FortiProxy and FortiOS products.

Taking Precautions

Fortinet has earned a reputation as an attractive target for threat actors. Even state-sponsored actors and ransomware groups have been known to exploit Fortinet device vulnerabilities for unauthorized network access. With approximately 210,700 FortiGate devices with the SSL VPN component exposed to the public internet as of June 12, 2023, the majority of which are in the United States, Japan, and Taiwan, it’s crucial that users apply the patches as swiftly as possible to reduce potential risks.

Despite the complexity of heap-based exploits, the chances of widespread automated exploitation are not high. However, it’s always prudent to stay ahead of potential threats by updating your Fortinet products immediately and staying informed of the latest cybersecurity advisories.

We wish to thank Charles Fol and Dany Bach from LEXFO for their responsible disclosure of this issue.