Alert essentials:
A flaw in all FortiGate SSL VPN appliances allows remote firewall access and exploitation without user credentials. The vulnerability is not currently utilized but is expected to be weaponized quickly. A fix is available; immediately upgrade the firmware on all Fortinet SSL VPN Appliances.

Email Team

Detailed threat description:
Limited details offer more questions than answers today as we are notified of yet another serious vulnerability in Fortinet appliances. Every version of the SSL VPN appliance is vulnerable to a remote code execution reachable even if Multifactor Authentication is activated. This vulnerability is pre-auth, meaning it allows an attacker to bypass authentication and execute code as a privileged user. Reports say a Fortinet SSL VPN may be interfered with, and that is where the information currently stops.

This vulnerability still needs to be exploited, but it is only a matter of time before attackers weaponize it. A fix is available, which means the bad actors look at the fix to determine vulnerability specifics, and from there, weaponization will be swift. Speculation is that more details will be released tomorrow, June 13, 2023. Until then, apply the fix by updating the firmware on vulnerable appliances as soon as possible!

There are no current mitigations, although that may change when more details are released.

Impact on healthcare organizations
When attackers bypass a perimeter firewall, they can access the entire network completely. The damages caused are limited only to the threat actor’s imagination. They could alter coding on varied system components causing malfunction, obtain patient ePHI, and perform data exfiltration. Once they obtain enough data to exploit individuals or the organization, they could deploy ransomware into the system. Taking all the technology offline and heavily affecting patient care.

Most Fortinet appliances are configured to allow remote user access through the SSL-VPN component of FortiGate. The pre-auth vulnerability exists in this component and is responsible for the potential ‘interference’ from threat actors if the latest firmware version has not been installed.

The attack surface of Fortinet appliances has been growing noticeably over the last two to three years. This should be considered when budgeting for upgrades or future appliances.

Affected products / versions

  • FortiOS versions 7.2.5, 7.0.12, 6.4.13, 6.2.15 and, apparently also in v6.0.17
  • It affects all SSL VPN appliances, even if multi-factor authentication is enabled

CVE

  • CVE-2023-27997

Recommendations

Engineering recommendations:

  • Upgrade Fortigate devices as soon as possible
  • If Fortinet is using firmware prior to versions: 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 and the user remote web interface is exposed, the appliance is vulnerable.
  • Fortigate users can check if their devices are vulnerable by using the following command on the CLI:
    • Diagnose sys fortiguard-service status
  • If the output shows FortiOS Version: 7.2.5 or higher, 7.0.12 or higher, 6.4.13 or higher, 6.2.15 or higher, or 6.0.17 or higher, the device is not vulnerable. If the output shows a lower version number, the device is vulnerable and must be patched.
  • If the available update doesn’t appear in the device’s dashboard, rebooting it may make it appear. If not, manual download and installation are advised.

Leadership / program recommendations:

  • Review network configurations and firewall rules to ensure that only authorized and trusted users can access the SSL VPN functionalities of FortiGate devices.
  • Users can also use external tools such as Nmap or Shodan to scan their devices for open ports related to SSL VPN (such as 443 or 10443) and check the banner information for the FortiOS version number.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: