Cybersecurity firm Fortinet is warning organizations of a critical vulnerability in its FortiGate SSL-VPN devices, continuing a string of recent exploitations of vulnerabilities in similar devices due to their internet-facing nature and access to a victim’s network.
The vulnerability–tracked as CVE-2023-27997–is a heap-based overflow flaw that could allow a remote attacker to execute arbitrary code or commands via specially crafted requests, says the Sunnyvale, Calif.-based firewall and endpoint security firm.
According to Fortinet, its Product Security Incident Response Team, following a previous incident from January also impacting FortiOS SSL VPN with exploitation, initiated a code audit of the SSL-VPN module, leading to the identification of issues that have been remediated in the company’s patch.
The investigation found that CVE-2023-27997 “may have been exploited in a limited number of cases.”
In the company’s blog, Fortinet says the attacks mimic the activity of Volt Typhoon, a suspected China-sponsored hacking group that has been targeting critical infrastructure organization. However, Fortinet doesn’t go as far to link exploitation of the vulnerability to that group, but does expect Volt Typhoon and other threat actors to leverage the bug in unpatched software and devices.
FortiGate devices were identified by the U.S. National Security Agency as being targeted by Volt Typhoon as an initial intrusion vector.
Organizations should apply the patch immediately. If they aren’t able to do so, disabling SSL-VPN is a legitimate workaround, the company says.
These devices and other SSL VPN products from Citrix, Pulse Secure and others have been popular targets in recent years, says Satnam Narang, senior staff research engineer at vulnerability management firm Tenable.
According to Narang, these flaws have not only been exploited by ransomware groups but also by nation-state aligned threat actors with a particular focus on flaws in Fortinet devices.
“SSL-VPNs are attractive targets due to their internet-facing nature, providing access to a company’s intranet,” Narang says. “They became even more popular at the beginning of the pandemic, as organization’s shifted towards allowing for remote work.”
Narang adds that pre-authentication bugs like CVE-2023-27997 are especially valuable to remote attackers because they don’t need to have valid credentials.
“Despite patches being available, the inherent value of the flaw remains significant, considering the ongoing success threat actors achieve by exploiting known, unpatched vulnerabilities,” Narang says. “It’s not a question of ‘if’, but rather ‘when’ a public proof-of-concept exploit for this flaw is made public, that we can expect more widespread scanning and exploitation of vulnerable assets.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!