1:00pm, 12 June 2023
TLP Rating:
Fortigate SSL-VPN Remote Code Execution vulnerability
Update: 26/06/23
A vulnerability has been discovered that affects FortiOS FortiGate devices with SSL-VPN enabled.
This heap-based buffer overflow vulnerability allows for an attacker to run unauthorised code or commands remotely on the affected system.
The vulnerability is tracked as CVE-2023-27997.
What to look for
How to tell if you're at risk
All FortiGate devices running FortiOS with SSL-VPN enabled are potentially at risk.
-
FortiOS-6K7K version 7.0.10
-
FortiOS-6K7K version 7.0.5
-
FortiOS-6K7K version 6.4.12
-
FortiOS-6K7K version 6.4.10
-
FortiOS-6K7K version 6.4.8
-
FortiOS-6K7K version 6.4.6
-
FortiOS-6K7K version 6.4.2
-
FortiOS-6K7K version 6.2.9 through 6.2.13
-
FortiOS-6K7K version 6.2.6 through 6.2.7
-
FortiOS-6K7K version 6.2.4
-
FortiOS-6K7K version 6.0.12 through 6.0.16
-
FortiOS-6K7K version 6.0.10
-
FortiProxy version 7.2.0 through 7.2.3
-
FortiProxy version 7.0.0 through 7.0.9
-
FortiProxy version 2.0.0 through 2.0.12
-
FortiProxy 1.2 all versions
-
FortiProxy 1.1 all versions
-
FortiOS version 7.2.0 through 7.2.4
-
FortiOS version 7.0.0 through 7.0.11
-
FortiOS version 6.4.0 through 6.4.12
-
FortiOS version 6.2.0 through 6.2.13
-
FortiOS version 6.0.0 through 6.0.16
FortiSASE is no longer impacted, issue remediated Q2/23
What to do
Prevention
Upgrade your devices running FortiOS to the latest version as soon as possible.
- upgrade to FortiOS-6K7K version 7.0.12 or above
- upgrade to FortiOS-6K7K version 6.4.13 or above
- upgrade to FortiOS-6K7K version 6.2.15 or above
- upgrade to FortiOS-6K7K version 6.0.17 or above
- upgrade to FortiProxy version 7.2.4 or above
- upgrade to FortiProxy version 7.0.10 or above
- upgrade to FortiProxy version 2.0.13 or above
- upgrade to FortiOS version 7.4.0 or above
- upgrade to FortiOS version 7.2.5 or above
- upgrade to FortiOS version 7.0.12 or above
- upgrade to FortiOS version 6.4.13 or above
- upgrade to FortiOS version 6.2.14 or above
- upgrade to FortiOS version 6.0.17 or above
Mitigation
For alternative mitigations, CERT NZ recommends disabling SSL-VPN.
More information
Further details can be found here:
Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog External Link
Official information released by Fortinet will be available here:
PSIRT Advisories | FortiGuard External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.