FortiGate SSL VPN Vulnerability - CVE-2023-27997 & Volt Typhoon Update

THE THREAT

Fortinet has confirmed the existence of a critical zero-day vulnerability impacting Fortinet FortiGate SSL VPNs, tracked as CVE-2023-27997 (CVSS: 9.2). This is a pre-authentication Remote Code Execution vulnerability in FortiGate SSL VPNs including multiple versions of FortiOS-6K7K, FortiProxy, and FortiOS. Exploitation would allow a remote and unauthenticated threat actor to execute code on vulnerable devices. As the vulnerability is pre-authentication, attacks will bypass Multi-Factor Authentication (MFA).

In the same advisory, Fortinet also noted that the Volt Typhoon Campaign leveraged CVE-2022-40684 (CVSS: 9.6) for initial access. This is an authentication bypass vulnerability that impacts Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0. Exploitation would allow unauthenticated attackers to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Fortinet has confirmed that limited exploitation of CVE-2023-27997 occurred prior to patch release. Organizations are strongly recommended to review all potentially impacted devices and ensure they are up to date on security patches.

What we’re doing about it

• The eSentire product suite has a variety of detections in place to identify activity associated with the Volt Typhoon Campaign
• eSentire Managed Vulnerability (MVS) has plugins in place to identify CVE-2022-40684 and CVE-2023-27997
• The eSentire Threat Intelligence team continues to track these vulnerabilities for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches

Additional information

As exploitation of CVE-2023-27997 has been confirmed in the wild, it is critical that organizations apply the relevant security patches as soon as possible to minimize the likelihood of exploitation. Security patches to address the vulnerability were released prior to vulnerability disclosure on June 9th. Alternative mitigations are not available for CVE-2023-27997.

Fortinet has not provided any additional details on real world attacks at this time for CVE-2023-27997. The eSentire Threat Intelligence team is actively tracking this topic and will perform threat hunts across the eSentire client base for CVE-2023-27997 as more details become available.

Fortinet disclosed an additional five vulnerabilities on June 12th. None of the other vulnerabilities are confirmed to be exploited in the wild. Organizations are recommended to patch for all vulnerabilities, as there is a high probability of exploitation in the future.

Security patches to address CVE-2022-40684 have been available since October 2022. Details of vulnerability exploitation and alternative mitigations are available in the official Fortinet advisory.

Impacted Fortinet Products for CVE-2023-27997:

• FortiOS-6K7K version 7.0.10
• FortiOS-6K7K version 7.0.5
• FortiOS-6K7K version 6.4.12
• FortiOS-6K7K version 6.4.10
• FortiOS-6K7K version 6.4.8
• FortiOS-6K7K version 6.4.6
• FortiOS-6K7K version 6.4.2
• FortiOS-6K7K version 6.2.9 through 6.2.13
• FortiOS-6K7K version 6.2.6 through 6.2.7
• FortiOS-6K7K version 6.2.4
• FortiOS-6K7K version 6.0.12 through 6.0.16
• FortiOS-6K7K version 6.0.10
• FortiProxy version 7.2.0 through 7.2.3
• FortiProxy version 7.0.0 through 7.0.9
• FortiProxy version 2.0.0 through 2.0.12
• FortiProxy 1.2 all versions
• FortiProxy 1.1 all versions
• FortiOS version 7.2.0 through 7.2.4
• FortiOS version 7.0.0 through 7.0.11
• FortiOS version 6.4.0 through 6.4.12
• FortiOS version 6.2.0 through 6.2.13
• FortiOS version 6.0.0 through 6.0.16

Impacted Fortinet Products for CVE-2022-40684:

• FortiOS version 7.2.0 through 7.2.1
• FortiOS version 7.0.0 through 7.0.6
• FortiProxy version 7.2.0
• FortiProxy version 7.0.0 through 7.0.6
• FortiSwitchManager version 7.2.0
• FortiSwitchManager version 7.0.0

Additional Fortinet Vulnerabilities

• CVE-2023-29180 (CVSS: 7.3): Null pointer de-reference in SSLVPNd
• CVE-2023-22640 (CVSS: 7.1): FortiOS - Out-of-bound-write in SSLVPNd
• CVE-2023-29181 (CVSS: 8.3): Format String Bug in Fclicense daemon
• CVE-2023-29179 CVSS: 6.4): Null pointer de-reference in SSLVPNd proxy endpoint
• CVE-2023-22641 (CVSS: 4.1): Open redirect in SSLVPNd

References:

[1] https://www.fortiguard.com/psirt/FG-IR-23-097
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-27997
[3] https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
[4] https://nvd.nist.gov/vuln/detail/CVE-2022-40684
[5] https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign
[6] https://www.fortiguard.com/psirt/FG-IR-22-377