Fortigate SSL-VPN Remote Code Execution vulnerability

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

1:00pm, 12 June 2023

TLP Rating: Clear

Fortigate SSL-VPN Remote Code Execution vulnerability

Update: 26/06/23

A vulnerability has been discovered that affects FortiOS FortiGate devices with SSL-VPN enabled.

This heap-based buffer overflow vulnerability allows for an attacker to run unauthorised code or commands remotely on the affected system.

The vulnerability is tracked as CVE-2023-27997.

What to look for

How to tell if you're at risk

All FortiGate devices running FortiOS with SSL-VPN enabled are potentially at risk.

  • FortiOS-6K7K version 7.0.10

  • FortiOS-6K7K version 7.0.5

  • FortiOS-6K7K version 6.4.12

  • FortiOS-6K7K version 6.4.10

  • FortiOS-6K7K version 6.4.8

  • FortiOS-6K7K version 6.4.6

  • FortiOS-6K7K version 6.4.2

  • FortiOS-6K7K version 6.2.9 through 6.2.13

  • FortiOS-6K7K version 6.2.6 through 6.2.7

  • FortiOS-6K7K version 6.2.4

  • FortiOS-6K7K version 6.0.12 through 6.0.16

  • FortiOS-6K7K version 6.0.10

  • FortiProxy version 7.2.0 through 7.2.3

  • FortiProxy version 7.0.0 through 7.0.9

  • FortiProxy version 2.0.0 through 2.0.12

  • FortiProxy 1.2 all versions

  • FortiProxy 1.1 all versions

  • FortiOS version 7.2.0 through 7.2.4

  • FortiOS version 7.0.0 through 7.0.11

  • FortiOS version 6.4.0 through 6.4.12

  • FortiOS version 6.2.0 through 6.2.13

  • FortiOS version 6.0.0 through 6.0.16

 

FortiSASE is no longer impacted, issue remediated Q2/23

What to do

Prevention

Upgrade your devices running FortiOS to the latest version as soon as possible.

  • upgrade to FortiOS-6K7K version 7.0.12 or above
  • upgrade to FortiOS-6K7K version 6.4.13 or above
  • upgrade to FortiOS-6K7K version 6.2.15 or above
  • upgrade to FortiOS-6K7K version 6.0.17 or above
  • upgrade to FortiProxy version 7.2.4 or above
  • upgrade to FortiProxy version 7.0.10 or above
  • upgrade to FortiProxy version 2.0.13 or above
  • upgrade to FortiOS version 7.4.0 or above
  • upgrade to FortiOS version 7.2.5 or above
  • upgrade to FortiOS version 7.0.12 or above
  • upgrade to FortiOS version 6.4.13 or above
  • upgrade to FortiOS version 6.2.14 or above
  • upgrade to FortiOS version 6.0.17 or above

Mitigation

For alternative mitigations, CERT NZ recommends disabling SSL-VPN.

More information

Further details can be found here:

Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog External Link

Official information released by Fortinet will be available here:

PSIRT Advisories | FortiGuard External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link