CTI Flash Briefing: Fortinet’s latest firmware update contains fix for undisclosed RCE flaw in SSL-VPN devices
Breakdown
Fortinet released firmware security updates on Friday for FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. Charles Fol, a vulnerability researcher from Lexfo Security sent out a tweet on Sunday stating the patch did contain a fix for a pre-authentication Remote Code Execution (RCE) vulnerability they reported to Fortinet. This will affect all versions of their SSL-VPN appliances, the only mitigation if you cannot patch is to disable the SSL VPN features on the devices.
Overview
The vulnerability is being tracked under CVE-2023–27997. The full disclosure on this CVE is currently expected tomorrow, Tuesday June 13th. We will update this Flash Brief or release a new one if any further relevant details are released at that time.
The tweet from Charles Fol:
Per the BleepingComputer article, they discussed the vulnerability directly with Fol:
Fol confirmed to BleepingComputer that this should be considered an urgent patch for Fortinet admins as its likely to be quickly analyzed and discovered by threat actors. Fortinet devices are some of the most popular firewall and VPN devices in the market, making them a popular target for attacks.
Per a Shodan search, over 250,000 Fortigate firewalls can be reached from the Internet, and as this bug affects all previous versions, the majority are likely exposed. In the past, SSL-VPN flaws have been exploited by threat actors just days after patches are released, commonly used to gain initial access to networks to conduct data theft and ransomware attacks.
Therefore, admins must apply Fortinet security updates as soon as they become available.
Recommendation
Current mitigations: installing the released patch as soon as possible or completely disabling SSL-VPN features on the affected devices.
Conclusion
To our current SOC partnerships, please reach out to our SOC team to learn more about the best steps in researching your exposure to this threat. If you have any questions on this on-going event or need any level of security assistance, please reach out to Hunter Strategy and we will be happy to discuss next steps in securing your IT systems!
Contact Us
contact@hunterstrategy.net
