Share this article on:
Cyber security organisation Fortinet has released patches for an undisclosed vulnerability relating to its FortiGate Next-Generation Firewall.
The vulnerability, tracked as CVE-2023-27997, was identified in multiple versions of FortiGate when devices had SSL-VPN enabled. Fortinet listed the issue as heap buffer overflow in SSL-VPN pre-authentication.
According to the Australian Cyber Security Centre (ACSC), the vulnerability could provide a threat actor with a window to access a system and gain remote code execution abilities, leading to the installation of malicious software and other “unauthorised actions”.
The vulnerability was first published on 12 June and was discovered after “Fortinet’s Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module as part of our commitment to product security and integrity,” the company said.
This audit identified a number of vulnerabilities “that have been remediated”, with CVE-2023-27997 being the most critical.
Threat response organisation Rapid7 has said that over 200,000 FortiGate SSL-VPN devices were visible to public internet.
“As of June 12, there were roughly 210,700 FortiGate devices with the SSL VPN component exposed to the public internet, the majority of which are in the United States, followed by Japan and Taiwan,” Rapid7 said in a release.
“Fortinet device vulnerabilities are historically popular with attackers of all skill levels, though exploitability varies on a vuln-by-vuln basis.”
While not initially believed to have led to attackers accessing FortiGate users’ systems, Fortinet has since released a statement revealing that the vulnerability may have been exploited.
“Our investigation found that one issue (FG-IR-23-097) [a.k.a CVE-2023-27997] may have been exploited in a limited number of cases, and we are working closely with customers to monitor the situation,” said Fortinet’s PSIRT.
While the organisation has said that despite the threat group Volt Typhoon having targeted critical infrastructure providers through devices with Fortinet FortiGuard enabled, the cyber security company has said that it is not drawing any connections between the hacking group and the latest vulnerability.
“At this time, we are not linking FG-IR-23-097 to the Volt Typhoon campaign; however, Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices,” it said.
Fortinet and other security organisations are advising that all users implement the security fixes released in the FortiOS firmware versions that were released on 9 June, which include 6.0.17, 6.2.15, 6.4.13, 7.0.12, or 7.2.5.
In addition, Fortinet recommends that users review their systems for indications of compromise.