UPDATE--Fortinet has released a firmware update that fixes a critical, pre-authentication remote code execution vulnerability in its FortiGate security appliances when the SSL VPN module is enabled.
The details of the vulnerability (CVE-2023-27997) became public on Monday when the company published an advisory and blog post analyzing the bug and exploit. On Friday, Fortinet released fixed firmware versions to address the bug. All of the current versions of FortiOS are affected by the vulnerability, and the fixed versions are 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.
"As mentioned in the advisory, we detected this issue in the wild and were able to collect a sample of the malware along with related network traffic. The malware was a variant of a generic Linux implant customized for FortiOS," Fortinet researchers said in the blog post.
"The suspicious binary was located at /data/lib/libips.bak. This file may be masquerading as a component of Fortinet’s IPS Engine, located at /data/lib/libips.so. The file /data/lib/libips.so was present, but with a zero file size."
Two French offensive security researchers discovered the vulnerability and reported it to Fortinet. The company did not call out the vulnerability specifically in the firmware release, but the researchers who discovered the bug said on Twitter that it had been patched, and other researchers had compared the vulnerable and patched firmware releases and identified the vulnerability.
"We discovered a heap overflow bug on the internet-facing interface of the VPN. This vulnerability, which is reachable without authentication, can be leveraged to get remote code execution on Fortigate instances. The bug is located on the web interface that allows users to authenticate to the VPN. This interface is, by design, internet-facing. If we hit the path /remote/hostcheck_validate, we can send an HTTP parameter named enc, through GET or POST. The parameter, which does not seem to be much used now, seems to be an old way for Fortigate to forward HTTP parameters across requests," Charles Fol, one of the researchers from Lexfo, who discovered the flaw, said in a post.
This bug is somewhat reminiscent of one that Fortinet researchers discovered being exploited in the wild late last year. That vulnerability (CVE-2023-42475) is a heap buffer overflow in the SSLVPNd component and soon after the initial advisory came out in December, attackers began targeting vulnerable appliances. Other Fortinet vulnerabilities also have been popular targets for attackers, thanks to the large install base for the company’s products and the potential for gaining a serious foothold in an enterprise network.
The new vulnerability is only present when the SSL VPN functionality is enabled on the FortiGate appliances.
This story was updated on June 13 to add context from the Fortinet advisory and the Lexfo analysis.