Cyber Security Threat Summary:
“Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices, tracked as CVE-2023-27997. The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.” (Bleeping Computer, 2023). According to security professionals, the updates will fix a critical SSL VPN vulnerability that will be disclosed on June 13th, 2023. The flaw can be used by an attacker to interfere with the VPN even if multi-factor authentication has been activated. According to researchers, this vulnerability likely impacts all versions, but the release of the full details on June 13th should confirm this information.

Fortinet is known to push out security patches prior to disclosing critical vulnerabilities to give customers time to update their devices before threat actors reverse engineer the patches.

Security Officer Comments:
Researchers from Lexfo Security released more details about the critical RCE vulnerability. For Fortigate devices, this vulnerability is reachable pre-authentication and on every SSL VPN appliance.

Fortinet administrators should consider this patch urgent and patch as soon as possible. Because Fortinet makes some of the most popular firewalls and VPN devices on the market, threat actors will look to target them quickly.

“Per a Shodan search, over 250,000 Fortigate firewalls can be reached from the Internet, and as this bug affects all previous versions, the majority are likely exposed. In the past, SSL-VPN flaws have been exploited by threat actors just days after patches are released, commonly used to gain initial access to networks to conduct data theft and ransomware attacks” (Bleeping Computer, 2023). Responsible disclosure is critical when vulnerabilities like these are found.

Suggested Correction(s):
Admins should apply the most recent patches as soon as possible. There is currently no mention of possible workarounds. Unfortunately for enterprise defenders, threat actors can compare the newer versions of the OS with older ones to find what the patch does and, based on that information, develop a working exploit.

Link(s):
https://www.bleepingcomputer.com/
https://www.fortiguard.com/psirt