Fortinet: Patched Critical Flaw May Have Been Exploited

Attackers may have exploited a flaw in Fortinet's FortiOS SSL-VPN in "a limited number of cases" that affected users in government, manufacturing, and critical infrastructure sectors.

Fortinet issued a fix for the vulnerability, tracked as CVE-2023-27997/FG-IR-23-097) and rated as critical, that it's urging customers to apply as they "monitor the situation," the company said in a blog post published this week.

Exploitation of the flaw can produce "data loss and OS and file corruption" for victims, which is why it's imperative for customers affected to update systems, according to Fortinet.

"If the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release," Carl Windsor, Fortinet's senior vice president, product technology, wrote in the post. "If the customer is not operating SSL-VPN the risk of this issue is mitigated — however, Fortinet still recommends upgrading."

The heap-based buffer overflow, pre-authentication vulnerability affects FortiOS and FortiProxy SSL-VPN and can allow unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests, according to Fortinet. FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 — released by the vendor on Friday — patch the vulnerability.

Fortinet found the flaw in an audit of its SSL-VPN platform after the rampant exploitation of another vulnerability, CVE-2022-42475 — which upon discovery was a zero-day bug — in January.

"This audit, together with a responsible disclosure from a third-party researcher, led to the identification of certain issues that have been remediated in the current firmware releases," Windsor wrote.

Potential Links to Volt Typhoon

Though attackers used a previously identified Fortinet vulnerability — FG-IR-22-377/CVE-2022-40684 — in the recently discovered Volt Typhoon campaign against US criticial infrastructure targets, Fortinet so far is not conclusively linking CVE-2023-27997 to this series of attacks, the company said in the post.

However, Fortinet claimed this does not preclude its use in the campaign, whether it's currently being exploited, or if attackers will leverage it in the future.

"Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices," Windsor wrote.

Discovered by Microsoft, Volt Typhoon is a series of attacks in which China-sponsored threat actors established persistent access within telecom networks and other critical infrastructure targets in the US.

Volt Typhoon attackers used CVE-2022-40684 — an authentication bypass vulnerability found in Fortinet FortiOS and FortiProxy — for initial access, Fortinet confirmed. Indeed, Internet-facing Fortinet devices are a popular target for various threat actors as a way to gain a foothold into enterprise networks.

Specifically, Fortinet researchers discovered admin accounts named "fortinet-tech-support" and "fortigate-tech-support" in customer devices related to the Volt Typhoon campaign, the company said.

"Our own research, conducted in collaboration with our customers, has identified that the Volt Typhoon campaign uses a variety of tactics, techniques, and procedures (TTPs) to gain access to networks, including a widely used technique known as 'living off the land' to evade detection," Windsor wrote.

Mitigations Beyond Patching

While applying product updates is the key way to avoid compromise, Fortinet made other suggestions to help affected organizations resolve the issue. One is to review systems for evidence of exploitation of previous Fortinet vulnerabilities, such as the one exploited by Volt Typhoon, the company said.

Minimizing the attack surface by disabling unused features and managing devices via an out-of-band method wherever possible can also help companies avoid being targeted in attacks that exploit existing vulnerabilities, according to Fortinet.