Fortinet warned customers this week of potential limited exploitation in the wild regarding a flaw affecting the SSL-VPN software component. This critical vulnerability (tracked as CVE-2023-27997) can be remotely exploited without authentication and can yield remote code or command execution to an attacker. Discovered by researchers Charles Fol and Dany Bach at LEXFO, disclosure-and-fix of this vulnerability coincided with an internal SSL-VPN audit-and-fix effort at Fortinet which covered this and five additional vulnerabilities.
What is Fortinet SSL-VPN?
Fortinet SSL-VPN is a VPN capability offered in some Fortinet products, including FortiGate firewall devices. This service provides secured network communications between a remote client and protected devices on an internal network. Several modes of operation are supported, including “tunnel mode” (which requires use of the FortiClient VPN client) and “web mode” (which does not require client-side VPN software).
What is the impact?
Of the six disclosed vulnerabilities, CVE-2023-27997 is considered the most severe with a “critical” CVSS score of 9.2. This pre-authentication vulnerability is rooted in a heap-based buffer overflow, seemingly similar to CVE-2022-42475 which was disclosed earlier this year as also affecting SSL-VPN (and did have reported exploitation in the wild). Attackers can exploit this vulnerability via a specially crafted request.
The complete list of recently disclosed-and-fixed Fortinet SSL-VPN vulnerabilities is as follows:
- CVE-2023-27997 (9.2, “critical) – pre-auth heap buffer overflow in SSL-VPN, exploitation could yield code/command execution
- CVE-2023-29180 (7.3, “high”) – null pointer dereference in SSLVPNd, exploitation could cause a denial-of-service condition by crashing SSLVPNd
- CVE-2023-22640 (7.1, “high”) – out-of-bounds write in SSLVPNd, exploitation could yield code/command execution
- CVE-2023-29181 (8.3, “high”) – format string bug in Fclicense daemon, exploitation could yield code/command execution
- CVE-2023-29179 (6.4, “medium”) – null pointer dereference in the SSLVPNd proxy endpoint, exploitation could cause a denial-of-service condition by crashing SSLVPNd
- CVE-2023-22641 (4.1, “medium”) – open redirect in SSLVPNd, exploitation could allow an attacker to redirect a user’s browser to a malicious URL
Are updates available?
Fortinet published new firmware versions a few days ahead of this disclosure. A variety of FortiOS, FortiOS-6K7K, and FortiProxy versions have been patched to fix the recently disclosed CVEs affecting SSL-VPN: CVE-2023-27997, CVE-2023-29180, CVE-2023-22640, CVE-2023-29181, CVE-2023-29179, CVE-2023-22641. Admins or owners of Fortinet appliances/products running affected firmware with SSL-VPN enabled should ensure they are updated to one of the newer firmware versions. If updating is not a near-term option, disabling the SSL-VPN service on affected appliances can mitigate the risk of exploitation.
How do I find potentially vulnerable Fortinet SSL-VPN instances with runZero?
_asset.protocol:http AND protocol:http AND (http.head.setCookie:="SVPNCOOKIE%SVPNNETWORKCOOKIE%" OR last.http.head.setCookie:="SVPNCOOKIE%SVPNNETWORKCOOKIE%")
Results from the above query should be triaged to verify those assets are running updated firmware versions.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.