Fortinet on Friday issued new firmware updates that patch an undisclosed, critical pre-authentication remote code execution (RCE) vulnerability in its Fortigate SSL-VPN appliances.
In a recent blog post, French researchers Olympe Cyberdefense said the flaw would let a “hostile agent interfere via the VPN, even if the multi-factor authentication was activated.”
The researchers said patches have been issued in FortiOS firmware for the following versions: 7.0.12, 7.2.5, 6.4.13 and 6.2.15 — and that they are waiting for more details to be released tomorrow on June 13.
Fortinet has a general practice of putting out security patches prior to disclosing critical vulnerabilities to give its customers time to patch before threat actors get ahold of the information.
On June 11, Lexfor Security researcher Charles Fol published a tweet confirming the flaw, saying that Fortinet published a patch for CVE-2023-27997, which was reserved by Fortinet with MITRE. Fol said it was an RCE that’s reachable pre-authentication on every Fortinet SSL-VPN appliance and advised patching immediately.
Fortinet has had to respond to a number of recent vulnerabilities, and here’s another good example, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said while it’s not unusual to release a patch to correct a vulnerability before publicly admitting it exists, it’s yet unclear whether it's been exploited in the wild or even known beyond the initial research. He added that while researchers were able to create a proof of concept (PoC), that doesn't always translate into a weaponized exploit.
“That said, once the PoC is made public, it's certain threat actors will try and create their own attack to leverage the exploit, which means Fortinet's users need to patch their systems as soon as the patches are available,” said Parkin. “I expect them to release more details once the CVE gets past the reserved stage. However, whether that’s enough in itself to replicate the researchers' work and generate another PoC remains to be seen. CVE's themselves are often light on details, so I’m more interested in seeing if the research is released after the CVE officially posts.”
Administrators are reluctant to patch network devices quickly, especially network devices like these, said John Bambenek, principal threat hunter at Netenrich.
“Releasing the patch before the CVE accommodates some of the delay so that protection can be in place before the broader community of threat actors are aware of the vulnerability, and start to exploit it,” said Bambenek.
Zach Hanley, chief attack engineer at Horizon3.ai, explained that while his team has not personally looked at the root cause yet, they understand that it's a heap-based vulnerability. Hanley said this means that exploitation will be trickier at scale because attackers need to adapt the exploit for each version of Fortinet appliance hit by the flaw.
“I would not expect this vulnerability to reach mass-exploitation, but instead we’ll see very targeted attacks on high-value organizations,” Hanley said. “Organizations that have a propensity to pay out for ransomware, or those that hold lots of intellectual property, are going to be likely targets.”
A statement from Fortinet said the firm published a PSIRT advisory (FG-IR-23-097) on June 12 that detailed recommended next steps regarding CVE-2023-27997.
"Fortinet continues to monitor the situation and has been proactively communicating to customers, strongly urging them to immediately follow the guidance provided to mitigate the vulnerability using either the provided workarounds or by upgrading," the statement continued. "As follow-up to this, we have shared additional detail and clarifications to help our customers make informed, risk-based decisions regarding CVE-2023-27997 in this blog. For more information, please refer to the blog and advisory."
In Monday's blog, Fortinet indicated that that the vulnerability targeting the SSL-VPN devices may have been exploited in a limited number of cases. On Tuesday, more details on CVE-2023-27997 came out and it was rated by Fortinet as a critical severity with a CVSS score of 9.8.