Cybersecurity blog header

CVE-2023-27997: Fortinet Fortigate SSL VPN Pre-Auth RCE critical vulnerability

The vulnerability CVE-2023-27997 exploits the ability to redirect the execution flow by sending specially crafted content.

Details have been disclosed about a critical vulnerability (CVE-2023-27997) affecting Fortinet Fortigate devices with exposed SSL VPN services. This vulnerability, which does not require prior authentication, would allow a remote attacker to execute code on the device by exploiting a heap-based buffer overflow.

This vulnerability exploits the possibility of redirecting the execution flow by sending a specially crafted payload, which’s size is not properly checked, and which would corrupt the heap memory area of the device, allowing arbitrary code to be executed or causing a denial of service. This would seriously affect the confidentiality, integrity and availability of the device.

Fortinet is a U.S. multinational company headquartered in Sunnyvale, California. It develops and markets cybersecurity software, devices and services, such as firewalls, antivirus, intrusion prevention and user device security, among others.

CVE-2023-27997 main characteristics

The main characteristics of this vulnerability are detailed below.

  • ID: CVE-2023-27997.
  • Publication date: 2023/12/06.
  • Affected software: Fortinet Fortigate.
  • CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical).
  • Affected versions:
    • FortiOS-6K7K version 7.0.10
    • FortiOS-6K7K version 7.0.5
    • FortiOS-6K7K version 6.4.12
    • FortiOS-6K7K version 6.4.10
    • FortiOS-6K7K version 6.4.8
    • FortiOS-6K7K version 6.4.6
    • FortiOS-6K7K version 6.4.2
    • FortiOS-6K7K version 6.2.9 through 6.2.13
    • FortiOS-6K7K version 6.2.6 through 6.2.7
    • FortiOS-6K7K version 6.2.4
    • FortiOS-6K7K version 6.0.12 through 6.0.16
    • FortiOS-6K7K version 6.0.10
    • FortiProxy version 7.2.0 through 7.2.3
    • FortiProxy version 7.0.0 through 7.0.9
    • FortiProxy version 2.0.0 through 2.0.12
    • FortiProxy 1.2 all versions
    • FortiProxy 1.1 all versions
    • FortiOS version 7.2.0 through 7.2.4
    • FortiOS version 7.0.0 through 7.0.11
    • FortiOS version 6.4.0 through 6.4.12
    • FortiOS version 6.2.0 through 6.2.13
    • FortiOS version 6.0.0 through 6.0.16
  • Exploitation requirements:
    • The attacker must be able to access the port configured for SSL VPN connections on the device.

CVE-2023-27997 mitigation

The main solution is to urgently upgrade Fortinet Fortigate to the new resleased versions available that fix the CVE-2023-27997:

  • FortiOS-6K7K version 7.0.12 or above.
  • FortiOS-6K7K version 6.4.13 or above.
  • FortiOS-6K7K version 6.2.15 or above.
  • FortiOS-6K7K version 6.0.17 or above.
  • FortiProxy version 7.2.4 or above.
  • FortiProxy version 7.0.10 or above.
  • FortiOS version 7.4.0 or above.
  • FortiOS version 7.2.5 or above.
  • FortiOS version 7.0.12 or above.
  • FortiOS version 6.4.13 or above.
  • FortiOS version 6.2.14 or above.
  • FortiOS version 6.0.17 or above.

Fortinet has released an official statement with information and updates regarding this vulnerability.

Vulnerability detection

The presence of the vulnerability can be identified by checking the current version of FortiOS software. This information can be accessed using the following command in the Fortinet Fortigate console:

diagnose sys fortiguard-service status

If the output of the command shows FortiOS Version 7.2.5 or higher, 7.0.12 or higher, 6.4.13 or higher, 6.2.15 or higher, or 6.0.17 or higher, then the device would not be vulnerable. If the output shows a lower version number, the device is vulnerable and should be patched as quickly as possible.

As part of its emerging vulnerability service, Tarlogic proactively monitors its customers’ perimeter to report, detect and urgently notify the presence of this vulnerability, as well as other critical threats that could cause a serious impact on the security of their assets.