Overview
A critical heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN functionality allows unauthenticated remote attackers to execute arbitrary code or commands through specially crafted SSL-VPN requests. This is a pre-authentication remote code execution (RCE) vulnerability affecting Fortinet's widely deployed security appliances. The vulnerability was disclosed on June 13, 2023. CISA has identified CVE-2023-27997 as being exploited and is known to be used in ransomware campaigns.
Technical details
The vulnerability exists in the SSL-VPN module of FortiOS and FortiProxy. The flaw stems from improper validation and handling of SSL-VPN protocol requests, which fails to properly bounds-check input data before copying it into a heap buffer. This allows attackers to overflow the buffer and corrupt heap memory, potentially overwriting critical data structures and achieving arbitrary code execution with the privileges of the vulnerable process (typically root/SYSTEM level).
The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow) andCWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
This pre-authentication RCE vulnerability allows attackers to completely compromise affected FortiOS and FortiProxy devices without requiring valid credentials. Successful exploitation enables arbitrary code execution with system-level privileges, leading to: (1) Complete unauthorized access to the device and its configuration; (2) Potential lateral movement into protected networks since these devices are typically perimeter security appliances; (3) Installation of persistent backdoors and malware; (4) Exfiltration of sensitive data and encryption keys; (5) Denial of service through device compromise; (6) Use of compromised devices as pivot points for further attacks on internal networks. Given that FortiOS and FortiProxy are widely deployed in enterprise environments as core security infrastructure, the impact is severe.
Mitigation and workarounds
Users should upgrade to the patched versions immediately. Fortinet released critical security updates addressing this vulnerability. For FortiOS, apply patches according to your version: 7.x users should update to 7.2.5/7.0.12, 6.x users to 6.4.13/6.0.17. FortiProxy users should update to 7.2.4, 7.0.10, or 2.0.13 depending on their version branch. Detailed upgrade procedures are available in Fortinet's security advisory. The following versions include the necessary fixes: FortiOS 7.2.5 and above, FortiOS 7.0.12 and above, FortiOS 6.4.13 and above, FortiOS 6.0.17 and above, FortiProxy 7.2.4 and above, FortiProxy 7.0.10 and above, FortiProxy 2.0.13 and above.
As temporary workarounds: disable ssl-vpn service if not required. this can be done via the fortios/fortiproxy management interface by navigating to vpn > ssl-vpn > edit and disabling the service.; implement network-level access controls to restrict ssl-vpn port access (default 443) to only trusted ip addresses or ranges using firewall rules or security groups., and deploy an intrusion prevention system (ips) or intrusion detection system (ids) configured with signatures to detect cve-2023-27997 exploitation attempts. monitor for suspicious ssl-vpn traffic patterns..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
