MFA is no protection against this critical new Fortinet vulnerability, CVE-2023-27997

Updated June 14 with exploit path, details from Lexfo.

A critical new Fortinet vulnerability allocated CVE-2023-27997 “is reachable pre-authentication (without any login needed), on every [Fortinet] SSL VPN appliance” says Charles Fol of French offensive security firm Lexfo Security, who found the vulnerability with a colleague during a Red Team engagement.

Fortinet on Friday June 9 pushed updates for FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 to fix the vulnerability.

Fol’s security researcher colleague Dany Bach told The Stack that they were waiting for the full advisory from Fortinet before sharing a detailed technical breakdown of CVE-2023-27997 but confirmed “it is a pre-auth RCE [and] has been proven to be exploitable in a consistent manner, as we found it during a Red Team engagement and exploited it remotely.”

UPDATED: Lexfo has published details on how the vulnerability works here. Fortinet has confirmed it has been exploited in the wild.

Lexfo notes: "We remain doubtful they [Fortinet] ever ran a proper security assessment on the appliance, considering the number and quality of vulnerabilities that were found from 2019 to today.

The vulnerability affects Fortinet Fortigate devices when SSL-VPN is enabled.

The critical Fortinet exploit lets attackers “interfere via the VPN, even if MFA is activated," an advisory from French cybersecurity firm Olympe Cyberdefense says – and Bach confirmed by Twitter DM to The Stack that “MFA does not have any impact on the exploitation of this vulnerability.”

“It affects the SSL-VPN component of Fortigate, if the remote web interface (the one used by end-users, not the admin page) is exposed and you do not have the latest version, you [are likely to] be vulnerable.

Mandiant's Nader Zaveri said: "We are expecting this to be a mass exploitation event."

CVE-2023-27997: ANOTHER serious Fortinet bug?

Customers facing yet another critical pre-auth RCE in Fortinet’s products would be forgiven for seriously considering their continued use given the regularity with which its products are exposed and exploited.

A few examples: Just 12 weeks ago Fortinet said that attackers exploited CVE-2022-41328, which affects FortiOS, to launch attacks that saw them then tamper with the firmware of FortiGate firewall devices; modifying the device firmware image (/sbin/init) to launch a persistent payload (/bin/fgfm) before the boot process began, which allowed them to download and write files, open remote shells and exfiltrate data.

Another recent Fortinet vulnerability, CVE-2022-40684 (CVSS 9.8) gave/gives an unauthenticated remote attacker root access to its core product’s administrative interface and was widely exploited in the wild.

So was pre-auth RCE vulnerability CVE-2022-42475 (CVSS 9.8) whilst CVE-2018-13379, a critical bug in Fortinet’s SSL VPN web portal became one of the most prolifically exploited vulnerabilities in recent years.

The disclosure also comes less than a month after CISA warned [PDF] that Chinese state-sponsored hackers had successfully breached US critical infrastructure networks in a “hands-on-keyboard” campaign – Microsoft Threat Intelligence said in its analysis of the campaign that it was seeing “initial access… through internet-facing Fortinet FortiGuard devices" but did not know the path saying it "continues to investigate Volt Typhoon’s methods for gaining access to these devices."

A Shodan search suggests some 250,000 Fortigate firewalls can be reached from the Internet. It was not immediately clear how many were exposed given the lack of detail on CVE-2023-27997, but expect offensive security professionals of both white and black hat type to reverse engineer the patch and work out the attack path very soon, with widespread exploitation likely to follow in short order. Patch promptly.

Follow The Stack on LinkedIn