header image

Cyber threat advisory: Fortinet vulnerability

Tim Geschwindt, Vlada Kulish 15 June 2023
15 June 2023    Tim Geschwindt, Vlada Kulish

CYBER SECURITY INSIGHTS REPORT 2022

We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance.

Download Report

Background

On 12 June 2023, Fortinet released a security advisory for a critical SSL VPN vulnerability (CVE-2023-27997) which is being exploited in the wild in active incidents, some of which are being associated with a campaign attributed to Volt Typhoon (Insidious Taurus), a suspected Chinese-nation-state cyber group. The vulnerability was identified during an internal audit of Fortinet’s codebase and is a heap-based buffer overflow that can be exploited by an unauthenticated attacker to compromise the affected device remotely.

Although the vulnerability is being associated with Volt Typhoon, a proof-of-concept exploit for the vulnerability has subsequently been published online and therefore it is highly likely that CVE-2023-27997 will be exploited imminently by a wider range of nation-state and financially motivated cybercriminals. The potential impact is significant due to the widespread usage of the Fortinet SSL VPN for remote access in the public and private sector; combined with the fact that previous Fortinet VPN vulnerabilities have resulted in intrusions perpetrated by groups intending to deploy ransomware and/or exfiltrate data.

 

Remediation

We urgently advise all organisations who may be impacted to apply the following remediation:

If evidence of compromise is identified, we would advise immediately conducting an investigation into the scope of the malicious activity and to ensure any potential threat actors who may retain access to the network are removed.

 

Affected Fortinet products

The following FortiOS and FortiProxy versions are vulnerable to this vulnerability:

FortiOS-6K7K version 7.0.10
FortiOS-6K7K version 7.0.5
FortiOS-6K7K version 6.4.12
FortiOS-6K7K version 6.4.10
FortiOS-6K7K version 6.4.8
FortiOS-6K7K version 6.4.6
FortiOS-6K7K version 6.4.2
FortiOS-6K7K version 6.2.9 through 6.2.13
FortiOS-6K7K version 6.2.6 through 6.2.7
FortiOS-6K7K version 6.2.4
FortiOS-6K7K version 6.0.12 through 6.0.16
FortiOS-6K7K version 6.0.10
FortiProxy version 7.2.0 through 7.2.3
FortiProxy version 7.0.0 through 7.0.9
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.11
FortiOS version 6.4.0 through 6.4.12
FortiOS version 6.2.0 through 6.2.13
FortiOS version 6.0.0 through 6.0.16

 

Indicators of compromise

At this stage, there are limited IOCs available, however, according to the analysis of the available proof of concept by Lefxo, the following items are the potential IoCs for this exploit:

  • Abnormal amount of ‘/remote/logincheck’ and ‘/remote/hostcheck_validate’ requests
  • Suspicious reboots

Moreover, Fortinet have identified that intrusions related to exploitation of CVE-2023-27997 appear to coincide with attempts to exploit a similar authentication bypass flaw in FortiOS identified in December 2022, tracked as CVE-2022-40684, to gain initial access. Therefore, search for the use of named accounts:

  • fortinet-tech-support
  • fortigate-tech-support

 

If malicious activity is identified

  1. Trigger your incident response plan
  2. Engage expert cyber incident response firm
  3. Preserve evidence
  4. Implement a containment plan to limit the threat actor’s access inside the network
  5. Implement a threat hunting and eradication plan to remove the threat actor from the network
  6. Conduct forensics across impacted devices to identify potential data exfiltration

Please contact S-RM if you are concerned about your organisation's exposure to the Fortinet vulnerability

To discuss this article or other industry developments, please reach out to one of our experts.

Tim Geschwindt
Tim geschwindt Senior Associate Email Tim
Vlada Kulish
Vlada kulish Associate Email Vlada

CYBER SECURITY INSIGHTS REPORT 2022

We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance.

Download Report