A heap-based buffer overflow vulnerability (CWE-122) has been identified in FortiOS and FortiProxy SSL-VPN. This vulnerability allows a remote attacker to execute arbitrary code and commands by sending specially crafted requests.
Workaround
To mitigate the risk, it is recommended to disable SSL-VPN on the FortiOS device.
Recommendations
- For FortiOS equipment users: Check if the currently running version is the latest one. If not, apply the available upgrades or implement the provided workaround.
- If you rely on a service provider for security updates: Request information about the installed version and the most recent version available. If there is a discrepancy, insist on performing the upgrade.
- If suspicious activity is detected in the logs indicating a compromised FortiOS device, initiate an incident response procedure. Patching alone is not sufficient if you don’t review logs and evidences.
Notifications
CIRCL (Computer Incident Response Center Luxembourg) has sent notifications to ISPs and known contact points when publicly exposed vulnerable devices were discovered. If you would like to directly share your IP resources for notifying the appropriate contact point, please reach out to us.
References
- CVE information: A heap-based buffer overflow vulnerability in FortiOS
- Vendor information: FortiOS & FortiProxy - Heap buffer overflow in sslvpn pre-authentication
- Reporter information: Pre-authentication Remote Code Execution on Fortigate
- Third-party information: CVE-2023-27997 Is Exploitable, and 69% of FortiGate Firewalls Are Vulnerable
Classification of this document
TLP:CLEAR information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.0 - TLP:CLEAR - First version - 5th July 2023