How to fix CVE-2023-27997 in FortiOS & FortiProxy

Fortinet – the leading provider of network security solutions – has successfully fixed CVE-2023-27997, a critical flaw found in its FortiOS and FortiProxy SSL-VPN software. This flaw had the potential to be exploited for equipment hijacking. 

Here all the details: 

What is CVE-2023-27997? 

This vulnerability involves a heap-based buffer overflow in the secure socket layer virtual private network (SSL VPN) functionality of Fortinet devices, including FortiGate Next Generation Firewalls (NGFW) and FortiProxy. The vulnerability could be exploited by an unauthorized remote attacker who sends specifically crafted requests to a susceptible device. If successfully exploited, the attacker would gain the ability to execute arbitrary code on the compromised device. The vulnerability, assigned CVE-2023-27997 with a CVSS score of 9.2 was initially uncovered by a security analyst employed at Lexfo.  

Does CVE-2023-27997 affect me?  

As of June 12, there were roughly 210,700 Fortigate devices with the SSL VPN component exposed to the public internet, the majority of which are in the United States, followed by Japan and Taiwan.  

Affected products of this vulnerability are: 

FortiOS-6K7K: 7.0.5, 7.0.10, 6.4.8, 6.4.6, 6.4.2, 6.4.12, 6.4.10, 6.2.9, 6.2.7, 6.2.6, 6.2.4, 6.2.13, 6.2.12, 6.2.11, 6.2.10, 6.0.16, 6.0.15, 6.0.14, 6.0.13, 6.0.12, 6.0.10 

FortiProxy: 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 2.0.9, 2.0.8, 2.0.7, 2.0.6, 2.0.5, 2.0.4, 2.0.3, 2.0.2, 2.0.12, 2.0.11, 2.0.10, 2.0.1, 2.0.0, 1.2.9, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.13, 1.2.12, 1.2.11, 1.2.10, 1.2.1, 1.2.0, 1.1.6, 1.1.5, 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0 

FortiOS: 7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.9, 7.0.8, 7.0.7, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.11, 7.0.10, 7.0.1, 7.0.0, 6.4.9, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.12, 6.4.11, 6.4.10, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.13, 6.2.12, 6.2.11, 6.2.10, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.16, 6.0.15, 6.0.14, 6.0.13, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0  

Has CVE-2023-27997 been actively exploited in the wild?  

It is currently unclear whether the vulnerability has been leveraged in real-world attacks or if the information about it extends beyond the initial research discovery. Even though researchers managed to develop a proof of concept, this does not necessarily imply the existence of a fully functional exploit.  

However, once the Proof of Concept (PoC) becomes public, threat actors are likely to attempt to develop their own attacks using the exploit. Consequently, it is crucial for Fortinet’s users to promptly apply the available patches to secure their systems. 

 

How to fix CVE-2023-27997 

Fortinet strongly advises customers who have enabled SSL-VPN to take immediate action by upgrading to the latest firmware release. Although the risk associated with this issue is reduced for customers who do not utilize SSL-VPN, Fortinet still recommends performing the upgrade as a precautionary measure. It has included security fixes in the firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12 and 7.2.5:  

• Upgrade to FortiOS-6K7K version 7.0.12 / 6.4.13 / 6.2.15 / 6.0.17 or above 
• Upgrade to FortiProxy version 7.2.4 / 7.0.10 or above 
• Upgrade to FortiOS version 7.4.0 / 7.2.5 / 7.0.12 / 6.4.13 / 6.2.14 / 6.0.17 or above  

In addition, Fortinet strongly recommends the following actions: 

1. Thoroughly examine your systems to identify any signs of previous vulnerabilities being exploited, such as FG-IR-22-377 / CVE-2022-40684. 
2. Uphold strong cyber hygiene practices and adhere to the patching recommendations provided by the vendor. 
3. Implement hardening measures as advised, such as referring to the FortiOS 7.2.0 Hardening Guide. 
4. Reduce the potential attack surface by disabling unused features and managing devices using an out-of-band method whenever feasible.  

Next steps 

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

1. CVSS v4.0 – what you need to know
2. MITRE ATTACK framework – Mapping techniques to CVEs  
3. Exploit maturity: an introduction  
4. OWASP Top 10 vulnerabilities 2022: what we learned 
5. How to fix CVE-2023-32784 in KeePass password manager

And finally…  

Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.