Date: 12-06-2023
On June 12, 2023, Northwave published a threat response regarding newly discovered critical vulnerabilities in Fortinet SSL-VPN. This is an update to yesterday's threat response based on newly released information by Fortinet [1], as well as analysis by researchers at watchTowr [2].
The call-to-action remains to apply the latest firmware updates immediately, as the chance of active exploitation is high.
Description
Fortinet released additional details regarding a number of newly discovered vulnerabilities in SSL-VPN. In particular, the critical vulnerability tracked as CVE-2023-27997 "may have been exploited in a limited number of cases" [1].
Additionally, research released by watchTowr [2] contains details for a working exploit that allows attackers to crash and reboot an unpatched Fortinet device. This exploit can be abused against unpatched devices for denial of service today. A well-funded and well-motivated attacker might be able to craft a working remote-code execution exploit for this vulnerability in the near future.
This newly released information stresses the urgency of applying the latest firmware updates to mitigate CVE-2023-27997 and other vulnerabilities.
What should you do?
Immediately apply the latest firmware updates on all Fortinet appliances on which SSL-VPN is enabled.
Monitor Fortinet appliances for a rise in unexpected application crashes, which might indicate that CVE-2023-27997 is exploited for denial-of-service.
Beyond the scope of this particular vulnerability, Fortinet recommends to reduce the attack surface of its appliances by disabling unused features, and by following its FortiOS hardening recommendations [3].
What will Northwave do?
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: soc@northwave.nl Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909
Disclaimer applies, see below.
Sources
[2]: https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
[3]: https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/555436/hardening
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.