Alert - Vulnerability impacting FortiGate/FortiOS (CVE-2023-27997) – Update 2

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On June 10, 2023, the Cyber Centre became aware of open-source reporting which indicated there was a pending vulnerability disclosure expected for June 13, 2023, affecting the SSL-VPN component on FortiGate appliances ^{Footnote 1}. On June 11, additional open-source reporting reinforced these claims with confirmation by the threat researcher and the organization the researcher represents. ^{Footnote 2Footnote 3}

On June 11, 2023, BleepingComputer published an article containing citations from the researcher that identifies the vulnerability impacts the SSL-VPN components of FortiGATE/FortiOS which could result in remote code execution. The researcher claims the vulnerability can be exploited without authentication and the capability to bypass multi-factor authentication reportedly exists.^{Footnote 4}

Open-source indicates that the CVE assigned to this vulnerability is CVE-2023-27997.^{Footnote 5}

Update 1

On June 12, 2023, Fortinet published security advisory FG-IR-23-097 describing CVE-2023-27997, which was originally disclosed in open-source^{Footnote 7}. Fortinet reports that a heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. Fortinet also reports that the vulnerability may have been exploited in a limited number of cases^{Footnote 8}. On 13 June the Cybersecurity and Infrastructure Security Agency (CISA) updated the Known Exploited Vulnerabilities catalog to reflect known exploitation of this vulnerability.^{Footnote 9}

The affected products list has been updated below to reflect Fortinet's recommended patch levels.

Update 2

On June 30, 2023, researchers at Bishop Fox reported that there continues to be a significant number of vulnerable Fortinet devices accessible via the Internet and demonstrated a proof of concept of the vulnerability ^{Footnote 10}. On July 5, 2023, the Canadian Centre for Cyber Security (Cyber Centre) conducted an assessment and has identified that a number of organizations within Canada continue to use Fortinet appliances that are vulnerable to CVE-2023-27997. Canadian organizations are strongly encouraged to review all Fortinet devices that use SSL-VPN to confirm that all unpatched devices are isolated and patched.

Suggested actions

This vulnerability can be exploited if unpatched Fortinet devices permit external connectivity to the SSL-VPN service. The Cyber Centre recommends as a temporary workaround that that the SSL-VPN service be disabled until patching can be completed.

The Cyber Centre strongly recommends that organizations patch any vulnerable Fortinet devices. On June 12, 2023, Fortinet published FG-IR-23-097^{Footnote 7} which identifies the following affected products and recommended patch levels:

• FortiOS-6K7K version 7.0.12 or above
• FortiOS-6K7K version 6.4.13 or above
• FortiOS-6K7K version 6.2.15 or above
• FortiOS-6K7K version 6.0.17 or above
• FortiProxy version 7.2.4 or above
• FortiProxy version 7.0.10 or above
• FortiOS version 7.4.0 or above
• FortiOS version 7.2.5 or above
• FortiOS version 7.0.12 or above
• FortiOS version 6.4.13 or above
• FortiOS version 6.2.14 or above
• FortiOS version 6.0.17 or above

Organizations should review and implement the Cyber Centre’s Top 10 IT Security Actions ^{Footnote 6} with an emphasis on the following topics:

• Consolidating, monitoring, and defending Internet gateways.
• Patching operating systems and applications.
• Isolate web-facing applications

Should activity matching the content of this alert be discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.