Fortinet squashes hijack-my-VPN bug in FortiOS gear

Fortinet has patched a critical bug in its FortiOS and FortiProxy SSL-VPN that can be exploited to hijack the equipment.

The remote code execution vulnerability, tracked as CVE-2023-27997, was spotted and disclosed by Lexfo security analysts Charles Fol and Dany Bach.

Fortinet has warned the bug looks to have been exploited in the wild already. The security flaw lies within the SSL-VPN, so if you have that enabled, you are potentially vulnerable to attack.

"This is reachable pre-authentication, on every SSL VPN appliance," Fol tweeted, adding that Fortinet has released multiple updates for FortiOS and FortiProxy to close the SSL-VPN hole. Admins should get patching ASAP before more exploits are developed; an attacker just needs to be able to reach the equipment to exploit it, disrupt traffic, and explore the rest of the corporate network.

You can find a list of affected products and their updates here. The bug, a heap buffer overflow, is rated 9.2 out of 10 in terms of severity.

"The flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated," French managed security services provider Olympe Cyberdefense added in its own advisory.

Info available now

Fortinet did not respond to The Register's questions about the vulnerability. Both Fol and Lexo promised more details at a later time.

In the meantime, there's a write-up here on Fortinet's website regarding CVE-2023-27997 that you should check out if you use any affected FortiOS gear.

On that page, the developer noted the CVE-2023-27997 vulnerability – which it tracks as FG-IR-23-097 – may have been abused in the wild:

Fortinet disclosed an SSL-VPN flaw in December, for what it's worth, and at the time said it was aware of "an instance" where the bug had been exploited. That vulnerability, CVE-2022-42475, was a critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN, which could be exploited to crash or possibly hijack equipment. 

A month later, the security vendor admitted that the 9.8-out-of-10 severity bug had been abused to infect government and government-related organizations with custom-made malware. 

While it didn't say who was behind the attacks, Fortinet noted the discovered samples looked to have been compiled "on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries."

• Here's how Chinese cyber spies exploited a critical Fortinet bug
• Microsoft: Patch this severe Outlook bug that Russian miscreants exploited
• Hold it – more vulnerabilities found in MOVEit file transfer software
• Barracuda tells its ESG owners to 'immediately' junk buggy kit

Then in March, details emerged of suspected Chinese spies making use of another critical Fortinet bug, and also using custom networking malware to steal credentials and maintain network access.

Fortinet fixed that path transversal vulnerability in FortiOS, tracked as CVE-2022-41328, that month, and then a few days later released a more detailed analysis. 

It indicated that miscreants were using the flaw in an attempt to attack large organizations, steal their data, and cause OS or file corruption: "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets."

And in a much more detailed report published later in the month, Mandiant pinned the blame on Chinese hackers — with the (then) FortiOS zero day, and "multiple" bespoke malware families. ®