Fortinet has released a patch to fix a critical vulnerability (CVE-2023-27997) in its FortiOS and FortiProxy SSL-VPN, which may have been exploited in attacks targeting government, manufacturing, and critical infrastructure.
In a separate blog released by Fortinet, the security solution company clarifies, “At this time, we are not linking FG-IR-23-097 to the Volt Typhoon campaign. However, Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue exploiting unpatched vulnerabilities in widely used software and devices.”
_____________________________
A. Nature of Vulnerability
CVE-2023-27997
- A heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
_____________________________
B. Affected Product Version
| FortiOS-6K7K version 7.0.10 |
| FortiOS-6K7K version 7.0.5 |
| FortiOS-6K7K version 6.4.12 |
| FortiOS-6K7K version 6.4.10 |
| FortiOS-6K7K version 6.4.8 |
| FortiOS-6K7K version 6.4.6 |
| FortiOS-6K7K version 6.4.2 |
| FortiOS-6K7K version 6.2.9 through 6.2.13 |
| FortiOS-6K7K version 6.2.6 through 6.2.7 |
| FortiOS-6K7K version 6.2.4 |
| FortiOS-6K7K version 6.0.12 through 6.0.16 |
| FortiOS-6K7K version 6.0.10 |
| FortiProxy version 7.2.0 through 7.2.3 |
| FortiProxy version 7.0.0 through 7.0.9 |
| FortiProxy version 2.0.0 through 2.0.12 |
| FortiProxy 1.2 all versions |
| FortiProxy 1.1 all versions |
| FortiOS version 7.2.0 through 7.2.4 |
| FortiOS version 7.0.0 through 7.0.11 |
| FortiOS version 6.4.0 through 6.4.12 |
| FortiOS version 6.0.0 through 6.0.16 |
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
- CERT-PH encourages all Fortinet users to review and apply the necessary update to mitigate future threats.
- Regularly check and apply the latest patch of software, especially to public-facing applications.
- Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
- For additional information, kindly refer to the official report:
- https://www.fortiguard.com/psirt/FG-IR-23-097
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign