Background
On 12 June 2023, Fortinet released a security advisory for a critical SSL VPN vulnerability (CVE-2023-27997) which is being exploited in the wild in active incidents, some of which are being associated with a campaign attributed to Volt Typhoon (Insidious Taurus), a suspected Chinese-nation-state cyber group. The vulnerability was identified during an internal audit of Fortinet’s codebase and is a heap-based buffer overflow that can be exploited by an unauthenticated attacker to compromise the affected device remotely.
Although the vulnerability is being associated with Volt Typhoon, a proof-of-concept exploit for the vulnerability has subsequently been published online and therefore it is highly likely that CVE-2023-27997 will be exploited imminently by a wider range of nation-state and financially motivated cybercriminals. The potential impact is significant due to the widespread usage of the Fortinet SSL VPN for remote access in the public and private sector; combined with the fact that previous Fortinet VPN vulnerabilities have resulted in intrusions perpetrated by groups intending to deploy ransomware and/or exfiltrate data.
Remediation
We urgently advise all organisations who may be impacted to apply the following remediation:
- Consider disabling the SSL-VPN if not critical for business operations
- Upgrade SSL VPN-enabled FortiOS and/or FortiProxy assets to the latest firmware release
- Review systems for evidence of exploit of CVE-2023-27997
- Apply Fortinet recommendations for hardening of FortiOS applications
If evidence of compromise is identified, we would advise immediately conducting an investigation into the scope of the malicious activity and to ensure any potential threat actors who may retain access to the network are removed.
Affected Fortinet products
The following FortiOS and FortiProxy versions are vulnerable to this vulnerability:
FortiOS-6K7K version 7.0.10
FortiOS-6K7K version 7.0.5
FortiOS-6K7K version 6.4.12
FortiOS-6K7K version 6.4.10
FortiOS-6K7K version 6.4.8
FortiOS-6K7K version 6.4.6
FortiOS-6K7K version 6.4.2
FortiOS-6K7K version 6.2.9 through 6.2.13
FortiOS-6K7K version 6.2.6 through 6.2.7
FortiOS-6K7K version 6.2.4
FortiOS-6K7K version 6.0.12 through 6.0.16
FortiOS-6K7K version 6.0.10
FortiProxy version 7.2.0 through 7.2.3
FortiProxy version 7.0.0 through 7.0.9
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.11
FortiOS version 6.4.0 through 6.4.12
FortiOS version 6.2.0 through 6.2.13
FortiOS version 6.0.0 through 6.0.16
Indicators of compromise
At this stage, there are limited IOCs available, however, according to the analysis of the available proof of concept by Lefxo, the following items are the potential IoCs for this exploit:
- Abnormal amount of ‘/remote/logincheck’ and ‘/remote/hostcheck_validate’ requests
- Suspicious reboots
Moreover, Fortinet have identified that intrusions related to exploitation of CVE-2023-27997 appear to coincide with attempts to exploit a similar authentication bypass flaw in FortiOS identified in December 2022, tracked as CVE-2022-40684, to gain initial access. Therefore, search for the use of named accounts:
- fortinet-tech-support
- fortigate-tech-support
If malicious activity is identified
- Trigger your incident response plan
- Engage expert cyber incident response firm
- Preserve evidence
- Implement a containment plan to limit the threat actor’s access inside the network
- Implement a threat hunting and eradication plan to remove the threat actor from the network
- Conduct forensics across impacted devices to identify potential data exfiltration
Please contact S-RM if you are concerned about your organisation's exposure to the Fortinet vulnerability
