Aperçu
A critical heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN functionality allows unauthenticated remote attackers to execute arbitrary code or commands through specially crafted SSL-VPN requests. This is a pre-authentication remote code execution (RCE) vulnerability affecting Fortinet's widely deployed security appliances. La vulnérabilité a été divulguée le June 13, 2023. CISA a identifié CVE-2023-27997 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The vulnerability exists in the SSL-VPN module of FortiOS and FortiProxy. The flaw stems from improper validation and handling of SSL-VPN protocol requests, which fails to properly bounds-check input data before copying it into a heap buffer. This allows attackers to overflow the buffer and corrupt heap memory, potentially overwriting critical data structures and achieving arbitrary code execution with the privileges of the vulnerable process (typically root/SYSTEM level).
La vulnérabilité est classifiée comme CWE-122 (Heap-based Buffer Overflow) etCWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
This pre-authentication RCE vulnerability allows attackers to completely compromise affected FortiOS and FortiProxy devices without requiring valid credentials. Successful exploitation enables arbitrary code execution with system-level privileges, leading to: (1) Complete unauthorized access to the device and its configuration; (2) Potential lateral movement into protected networks since these devices are typically perimeter security appliances; (3) Installation of persistent backdoors and malware; (4) Exfiltration of sensitive data and encryption keys; (5) Denial of service through device compromise; (6) Use of compromised devices as pivot points for further attacks on internal networks. Given that FortiOS and FortiProxy are widely deployed in enterprise environments as core security infrastructure, the impact is severe.
Mitigation et contournements
Users should upgrade to the patched versions immediately. Fortinet released critical security updates addressing this vulnerability. For FortiOS, apply patches according to your version: 7.x users should update to 7.2.5/7.0.12, 6.x users to 6.4.13/6.0.17. FortiProxy users should update to 7.2.4, 7.0.10, or 2.0.13 depending on their version branch. Detailed upgrade procedures are available in Fortinet's security advisory. Les versions suivantes incluent les correctifs nécessaires : FortiOS 7.2.5 and above, FortiOS 7.0.12 and above, FortiOS 6.4.13 and above, FortiOS 6.0.17 and above, FortiProxy 7.2.4 and above, FortiProxy 7.0.10 and above, FortiProxy 2.0.13 and above.
Comme contournements temporaires : disable ssl-vpn service if not required. this can be done via the fortios/fortiproxy management interface by navigating to vpn > ssl-vpn > edit and disabling the service.; implement network-level access controls to restrict ssl-vpn port access (default 443) to only trusted ip addresses or ranges using firewall rules or security groups., et deploy an intrusion prevention system (ips) or intrusion detection system (ids) configured with signatures to detect cve-2023-27997 exploitation attempts. monitor for suspicious ssl-vpn traffic patterns..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
