How to Respond: CVE-2023-27997 (Fortigate SSL VPN)

A critical vulnerability in FortiGate SSL VPN could allow hackers to access vulnerable systems and inject malicious code, even if Multi-Factor Authentication (MFA) is enabled. To learn how to identify whether your Fortinet product is impacted and how to quickly secure it, read on.

Learn how UpGuard simplifies Vendor Risk Management >

What is CVE-2023-27997

CVE-2023-27997 is a critical heap buffer overflow vulnerability in the SSL-VPN pre-authentication module of Fortinet's FortiOS. Its exploitation allows excess data to overflow from an allocated memory block into adjacent memory blocks in the heap, making it possible to execute arbitrary code enforcing malicious program behavior. 

‍

SSL VPNs are often trusted to facilitate secure connections to private organization networks. A vulnerability like CVE-2023-27997 could allow cybercriminals to access any networks and products protected by this secure channel. What elevates this vulnerability to a critical severity is the fact that it can be exploited pre-authentication, meaning cybercriminals could exploit it without providing privileged credentials. With the resulting significant compression of the cyber attack pathway, indicators of Attack are much harder to detect and intercept, giving all data breach attempts a higher likelihood of success. 

‍Learn how to respond to the MOVEit zero-day >

How to Detect CVE-2023-27997

You can determine whether they are impacted by the FortiGate SSL VPN by comparing their product version number against the following vulnerable FortiOS versions.

• FortiOS-6K7K version 7.0.12 or above
• FortiOS-6K7K version 6.4.13 or above
• FortiOS-6K7K version 6.2.15 or above
• FortiOS-6K7K version 6.0.17 or above
• FortiProxy version 7.2.4 or above
• FortiProxy version 7.0.10 or above
• FortiProxy version 2.0.13 or above
• FortiOS version 7.4.0 or above
• FortiOS version 7.2.5 or above
• FortiOS version 7.0.12 or above
• FortiOS version 6.4.13 or above
• FortiOS version 6.2.14 or above, and
• FortiOS version 6.0.17 or above

To check the version of your FortiOS product, type the following command in your Command Line Interface.

diagnose sys fortiguard-service status

How UpGuard Can Help

Although security teams are expected to rapidly patch such critical vulnerabilities, impacted environments could still be overlooked, especially if they're associated with unmaintained internet-facing assets. Using ethical non-invasive scanning techniques, UpGuard can detect instances of a FortiOS SSL VPN interface.

See the example below of this risk being detected in a user's Vendor's Risk profile.

Because invasive scanning methods violate UpGuard's scanning policy, the quickest (and most ethical) method of confirming vulnerable instances of FortiOS is to send a remediation request asking for security patch confirmation.

Watch the video below to learn how UpGuard can detect unmaintained assets likely running vulnerable software versions.

Get a free trial of UpGuard >

Impact Mitigation Suggestions for the Fortigate SSL VPN Vulnerability

Follow these suggested response actions to mitigate the impact of CVE-2023-27997.

1. Upgrade to the Latest FortiOS Firmware Release

Upgrade your firmware to the following patched versions of FortiOS-6k7k, FortiProxy, and FortiOS: 

FortiOS-6K7K

• Version 7.0.12 or above
• Version 6.4.13 or above
• Version 6.2.15 or above
• Version 6.0.17 or above

FortiProxy

• Version 7.2.4 or above
• Version 7.0.10 or above

FortiOS

• Version 7.4.0 or above
• Version 7.2.5 or above
• Version 7.0.12 or above
• Version 6.4.13 or above
• Version 6.2.14 or above
• Version 6.0.17 or above

Be sure to follow your organizational patching policy to minimize business operation disruption during firmware upgrades. 

2. Disable SSL-VPN on all Impacted Devices

Upgrading to the latest patched versions of Fortinet is the best form of defense against CVE-2023-27997. However, for instances where patching isn't an option, all SSL-VPN appliances should be immediately disabled - even if you haven't confirmed whether they're running vulnerable software versions.

For instructions on how to disable all SSL VPN connections, refer to this Fotinet document.

Successful disablement is confirmed when the Remote Access module is no longer visible on all workstations connected to the EMS.

3. Follow FortiOS Hardening Guidelines

After upgrading to the latest patched versions, your attack surface should be further reduced by following this hardening guide by Fortinet.

Forinet's hardening guide reduces the risk of data breaches by outlining best practices in the following areas:

• Physical security
• Vulnerability - monitoring PSIRT
• Firmware
• Encrypted protocols
• FortiGuard databases
• Penetration testing
• Denial of service
• Secure password storage