Fortinet: New FortiOS RCE bug "may have been exploited" in attacks

The flaw (tracked as CVE-2023-27997 / FG-IR-23-097) is a heap-based buffer overflow weakness in FortiOS and FortiProxy SSL-VPN that can let unauthenticated attackers gain remote code execution (RCE) via maliciously crafted requests.

CVE-2023-27997 was discovered during a code audit of the SSL-VPN module following another recent set of attacks against government organizations exploiting the CVE-2022-42475 FortiOS SSL-VPN zero-day.

On June 9, Fortinet released security updates to address the vulnerability before disclosing additional details on June 12.

This is not the first time the company has pushed patches before disclosing critical vulnerabilities to give customers time to secure their devices before threat actors reverse engineer them to create exploits.

"Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation," Fortinet said in a report published on June 5.

"For this reason, if the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release.

"If the customer is not operating SSL-VPN the risk of this issue is mitigated – however, Fortinet still recommends upgrading."

More than 250,000 Fortigate firewalls are exposed on the Internet, according to Shodan, and it is highly probable that a significant number are also currently vulnerable to attacks considering that this bug impacts all earlier firmware versions.

Volt Typhoon connections

While it didn't make any links to the recently disclosed Volt Typhoon attacks targeting critical infrastructure organizations across the United States, Fortinet did mention the possibility that the Chinese cyberespionage group could also target the CVE-2023-27997 flaw.

"At this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign, however Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices," the company said.

"For this reason, Fortinet urges immediate and ongoing mitigation through an aggressive patching campaign."

Volt Typhoon is known for hacking into Internet-exposed Fortinet FortiGuard devices via an unknown zero-day vulnerability to gain access to the networks of organizations in a wide range of critical sectors.

The threat actors also use compromised routers, firewalls, and VPN appliances from multiple vendors to evade detection by ensuring their malicious activity blends in with legitimate network traffic.

Fortinet said today that they are primarily targeting devices unpatched against CVE-2022-40684, an authentication bypass vulnerability in FortiOS / FortiProxy / FortiSwitchManager devices, for initial access.

However, just as previously mentioned, the threat actors are expected to also start abusing new vulnerabilities, as they are disclosed.

Source: bleepingcomputer.com