New FortiOS RCE bug “could have been exploited” in assaults


Fortinet says a essential FortiOS SSL VPN vulnerability that was patched final week “could have been exploited” in assaults impacting authorities, manufacturing, and demanding infrastructure organizations.

The flaw (tracked as CVE-2023-27997 / FG-IR-23-097) is a heap-based buffer overflow weak spot in FortiOS and FortiProxy SSL-VPN that may let unauthenticated attackers achieve distant code execution (RCE) through maliciously crafted requests.

CVE-2023-27997 was found throughout a code audit of the SSL-VPN module following one other current set of assaults towards authorities organizations exploiting the CVE-2022-42475 FortiOS SSL-VPN zero-day.

On Friday, Fortinet launched safety updates to handle the vulnerability earlier than disclosing further particulars right now.

This isn’t the primary time the corporate has pushed patches earlier than disclosing essential vulnerabilities to present clients time to safe their gadgets earlier than menace actors reverse engineer them to create exploits.

“Our investigation discovered that one situation (FG-IR-23-097) could have been exploited in a restricted variety of circumstances and we’re working carefully with clients to observe the scenario,” Fortinet stated in a report revealed on Monday.

“For that reason, if the client has SSL-VPN enabled, Fortinet is advising clients to take quick motion to improve to the newest firmware launch.

“If the client shouldn’t be working SSL-VPN the chance of this situation is mitigated – nevertheless, Fortinet nonetheless recommends upgrading.”

Greater than 250,000 Fortigate firewalls are uncovered on the Web, in keeping with Shodan, and it’s extremely possible {that a} important quantity are additionally at the moment susceptible to assaults contemplating that this bug impacts all earlier firmware variations.

Volt Storm connections

Whereas it did not make any hyperlinks to the not too long ago disclosed Volt Storm assaults focusing on essential infrastructure organizations throughout the US, Fortinet did point out the likelihood that the Chinese language cyberespionage group may additionally goal the CVE-2023-27997 flaw.

“Presently we’re not linking FG-IR-23-097 to the Volt Storm marketing campaign, nevertheless Fortinet expects all menace actors, together with these behind the Volt Storm marketing campaign, to proceed to take advantage of unpatched vulnerabilities in broadly used software program and gadgets,” the corporate stated.

“For that reason, Fortinet urges quick and ongoing mitigation by means of an aggressive patching marketing campaign.”

Volt Storm is thought for hacking into Web-exposed Fortinet FortiGuard gadgets through an unknown zero-day vulnerability to achieve entry to the networks of organizations in a variety of essential sectors.

The menace actors additionally use compromised routers, firewalls, and VPN home equipment from a number of distributors to evade detection by making certain their malicious exercise blends in with professional community site visitors.

Fortinet stated right now that they’re primarily focusing on gadgets unpatched towards CVE-2022-40684, an authentication bypass vulnerability in FortiOS / FortiProxy / FortiSwitchManager gadgets, for preliminary entry.

Nonetheless, simply as beforehand talked about, the menace actors are anticipated to additionally begin abusing new vulnerabilities, as they’re disclosed.

Leave a Reply

Your email address will not be published. Required fields are marked *