Critical RCE Fortinet FortiGate Firewalls

Several patches have been released by Fortinet to address a critical security vulnerability in its FortiGate Firewalls and FortiProxy SSL-VPN that would allow a threat actor to initialise remote code execution via a heap-based buffer overflow vulnerability.

The vulnerability, tracked as CVE-2023-27997, is a heap-based buffer overflow vulnerability in SSL VPN devices in Forti OS and FortiProxy. The flaw would allow specially crafted requests to be sent to the vulnerable device to enable the attacker to execute arbitrary code on the vulnerable device. This is reachable pre-authentication.

All versions are affected. The following security fixes were released on Friday 09 June 2023:

·       FortiOS-6K7K version 7.0.12 or above.

·       FortiOS-6K7K version 6.4.13 or above.

·       FortiOS-6K7K version 6.2.15 or above.

·       FortiOS-6K7K version 6.0.17 or above.

·       FortiProxy version 7.2.4 or above.

·       FortiProxy version 7.0.10 or above.

·       FortiProxy version 2.0.13 or above.

·       FortiOS version 7.4.0 or above.

·       FortiOS version 7.2.5 or above.

·       FortiOS version 7.0.12 or above.

·       FortiOS version 6.4.13 or above.

·       FortiOS version 6.2.14 or above.

·       FortiOS version 6.0.17 or above.

The CVSSv3 scored the vulnerability as 9.2 out of 10: classing it as critical.                                             

It has been advised that admins should update devices as soon as possible. Fortinet has previously been known to push out security patches before disclosing the vulnerability to give customers time to update devices before any reverse engineering of the patches occurs.

A Shodan search details that over 250,000 FortiGate Firewalls are reachable publicly over the internet: deeming the exposure level to be critical.

A previous Fortinet vulnerability towards the end of last year had affected FortiOS, FortiProxy and FortiSwitch Manager. The previous critical vulnerability, detailed in CVE-2022-40684, would similarly bypass authentication using an alternative path of channel.

ITC-TI analyst comment:
  • We strongly recommend ensuring a vulnerability and patch management cycle is fully operationally and conducted regularly to avoid any vulnerabilities being detected by external tools and actively being exploited.
  • A Dual Firewall stack would increase security around the perimeter and internally in the event a perimeter firewall has been exploited.
  • Reset authentication credentials associated with VPN for added layer of security.
  • Ensure that the Zero Trust architecture is followed to verify end to end user activity and assume breach to assess the scale of impact.
  • Segment devices by criticality to prevent mass disruption across all systems, to minimise impact.
  • Ensure VPN logs are configured correctly send to monitoring tool for further analysis and custom detection.
  • Ensure that conditional access policies are enabled to prevent unauthorised access to critical infrastructure.
  • Create group policy to disable remote code execution unless in an authorised AD or AAD group. 

References