Executive Summary
CVE-2023-27997 is a critical heap-based buffer overflow vulnerability identified in Fortinet's FortiOS and FortiProxy SSL-VPN products. This vulnerability allows a remote attacker to execute arbitrary code or commands via specifically crafted requests, potentially leading to a full system compromise. The vulnerability has a CVSS score of 9.8, indicating its critical nature. Immediate action is required to mitigate the risk of exploitation, especially given its active exploitation in the wild.
Technical Information
CVE-2023-27997 is a heap-based buffer overflow vulnerability, classified under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). The vulnerability affects FortiOS versions 7.2.4 and below, 7.0.11 and below, 6.4.12 and below, 6.0.16 and below, and FortiProxy versions 7.2.3 and below, 7.0.9 and below, 2.0.12 and below, 1.2 all versions, and 1.1 all versions. The vulnerability allows a remote attacker to execute arbitrary code or commands via specifically crafted requests, potentially leading to a full system compromise.
The vulnerability is particularly dangerous due to its low attack complexity and the fact that it does not require any user interaction. The attack vector is network-based, meaning that an attacker can exploit the vulnerability remotely. The CVSS vector string for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it has a high impact on confidentiality, integrity, and availability.
The vulnerability was discovered in the SSL-VPN functionality of FortiOS and FortiProxy. When a specially crafted request is sent to the SSL-VPN service, it triggers a heap-based buffer overflow, allowing the attacker to execute arbitrary code. This can lead to a full system compromise, giving the attacker complete control over the affected device.
Exploitation in the Wild
This vulnerability has been actively exploited in the wild. According to multiple sources, including Fortinet and Rapid7, attackers have been leveraging this vulnerability to gain unauthorized access to systems running vulnerable versions of FortiOS and FortiProxy. The exploitation typically involves sending specially crafted requests to the SSL-VPN service, triggering the buffer overflow and allowing the attacker to execute arbitrary code.
Indicators of Compromise (IOCs) for this vulnerability include unusual network traffic to and from FortiGate devices, unexpected system behavior or crashes, and unauthorized access attempts or successful logins. Organizations should monitor their networks for these IOCs to detect potential exploitation attempts.
APT Groups using this vulnerability
While specific APT groups exploiting this vulnerability have not been publicly identified, the critical nature of the vulnerability and its exploitation in the wild suggest that it could be of interest to state-sponsored actors and advanced persistent threat (APT) groups. Given the high impact of the vulnerability, it is likely that APT groups targeting sectors such as government, finance, and critical infrastructure may seek to exploit it.
Affected Product Versions
The following product versions are affected by CVE-2023-27997:
FortiOS versions 7.2.4 and below FortiOS versions 7.0.11 and below FortiOS versions 6.4.12 and below FortiOS versions 6.0.16 and below FortiProxy versions 7.2.3 and below FortiProxy versions 7.0.9 and below FortiProxy versions 2.0.12 and below FortiProxy versions 1.2 all versions FortiProxy versions 1.1 all versions
Workaround and Mitigation
Fortinet has released patches to address this vulnerability. It is crucial for organizations using affected versions of FortiOS and FortiProxy to apply these updates immediately to mitigate the risk of exploitation. The vendor advisory for this vulnerability can be found at Fortinet PSIRT Advisory: https://fortiguard.com/psirt/FG-IR-23-097.
In addition to applying patches, organizations should implement continuous monitoring for IOCs and unusual activity. Network segmentation and the use of intrusion detection and prevention systems can also help mitigate the risk of exploitation.
References
For further details and updates, please refer to the following official advisories and publications:
Fortinet PSIRT Blog: https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign Rapid7 Blog: https://www.rapid7.com/blog/post/2023/06/12/etr-cve-2023-27997-critical-fortinet-fortigate-remote-code-execution-vulnerability/ Bishop Fox: https://bishopfox.com/blog/cve-2023-27997-exploitable-fortigate-vulnerable
Exploit Proof of Concepts (POCs):
Bishop Fox: https://github.com/BishopFox/CVE-2023-27997-check Pik-sec: https://github.com/Pik-sec/cve-2023-27997 Delsploit: https://github.com/delsploit/CVE-2023-27997 Hheeyywweellccoommee: https://github.com/hheeyywweellccoommee/CVE-2023-27997-POC-FortiOS-SSL-VPN-buffer-overflow-vulnerability-ssijz Lexfo: https://github.com/lexfo/xortigate-cve-2023-27997 Rio128128: https://github.com/rio128128/CVE-2023-27997-POC
Rescana is here for you
At Rescana, we understand the critical importance of staying ahead of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and mitigate vulnerabilities in real-time. We are committed to providing our customers with the tools and insights they need to protect their systems and data. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.
Comentários