Date: 13/6/2023 | Prepared by: Jason Trapp, DFIR Analyst
Purpose and details
The purpose of this alert is to bring attention to a critical security issue identified within the FortiGate SSLVPN software. It’s being tracked with the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2023-27997.
This vulnerability has no associated Common Vulnerability Scoring System (CVSS) score. Based on what has been observed so far, it will most likely receive a critical rating, resulting in a CVSS score of 9 or above. The current understanding is that it affects all versions of the FortiGate SSLVPN. Full details of the vulnerability are expected to be released on 13 June 2023.
What is known so far is that this is a pre-authentication Remote Code Execution (RCE) vulnerability which would allow a Threat Actor to exploit this vulnerability without the need to use any login credentials. French cyber security team Olympe Cyberdefense discovered that this vulnerability also affects any SSLVPN regardless of whether Multi-Factor Authentication (MFA) has been implemented1.
As of the time of writing this Security Bulletin, there have been no reports of any Threat Actor groups exploiting this vulnerability. However, Triskele Labs is monitoring reports surrounding this vulnerability closely.
Due to the popularity of Fortinet products within the commercial space, it is likely that Threat Actors will discover a Proof of Concept (PoC) in the coming days.
Since the beginning of 2023, Fortinet has posted eight advisories. Due to the prevalence of vulnerabilities discovered, staying up to date with both notification and remediation of Fortinet vulnerabilities is advised. Historically, Threat Actors have been able to exploit vulnerabilities within days of the patch being released2, which makes urgent patching of critically rated vulnerabilities all the more vital.
Shodan, the search engine that maps and gathers information on internet-connected devices and systems, indicates that over 250,000 FortiGate firewalls are exposed to the Internet, with over 3,500 located within Australia3.
Vulnerable versions
This vulnerability affects all versions of the FortiGate SSLVPN software. Fortinet released patches on 9 June 2023 and recommends updating to either: 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. As stated between The Stack and Olympe Cyberdefense, “It affects the SSLVPN component of FortiGate, if the remote web interface is exposed, you are likely to be vulnerable.”
Mitigation actions
Triskele Labs recommends that the FortiGate SSLVPN is updated in line with the version being run. The following location lists the relevant update articles for the affected versions:
Currently, no mitigation strategies have been recommended by Fortinet. However, the following should be considered:
- Remove inactive accounts.
- Implement network zones to limit access to different resources.
- Consider upgrading to version 7 as 6.X has reached End of Engineering Support4.
These mitigation strategies are not substitutes for patching the vulnerability but should be implemented to complement the patch as Defence in Depth measures or in the case that a patch cannot be immediately applied.
Detection
The Triskele Labs DefenceShield Security Operations Centre (SOC) monitors for suspicious activity for Managed Detection and Response (MDR) clients. DefenceShield Monitor clients that have provided visibility to their network infrastructure will be contacted directly to update their FortiGate SSLVPN.
Triskele Labs are performing ongoing scanning for DefenceShield Assess clients to detect vulnerable devices within client networks.
For any questions, please contact DefenceShield SOC or Triskele Labs support.
1 https://olympecyberdefense.fr/1193-2/
2 https://www.bleepingcomputer.com/news/security/fortinet-says-critical-auth-bypass-bug-is-exploited-in-attacks/
3 https://www.shodan.io/search?query=ssl.cert.subject.cn%3AFortiGate
4 https://endoflife.date/fortios
