Fortinet warns critical VPN vulnerability 'may' be under attack

Attackers might be exploiting another critical Fortinet SSL VPN vulnerability to target government and critical infrastructure organizations, the security vendor warned.

Fortinet published an advisory for a heap buffer overflow vulnerability Monday and an analysis blog by Carl Windsor, senior vice president of product technology and solutions at Fortinet. Windsor warned that attackers might be exploiting CVE-2023-27997, or what Fortinet tracks as FG-IR-23-097.

While auditing code for a previously disclosed critical zero-day vulnerability in Fortinet's SSL VPN that was exploited in the wild in December, security engineer Charles Fol and penetration tester Dany Bach, both with French infosec consultancy Lexfo, discovered six additional flaws. The most critical of the bunch is CVE-2023-27997, which can allow attackers to gain remote code execution capabilities.

The vulnerability affects FortiOS and FortiProxy software, which affects the vendor's SSL VPN and firewall products, respectively. Exploitation could lead to data loss as well as OS and file corruption. Fortinet warned that the flaw requires immediate customer action and advised users to update their firmware.

"Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation," Windsor wrote in the blog post.

The blog post also addressed potential exploitation activity by Volt Typhoon, a Chinese state-sponsored threat group. During incident response investigations, Fortinet discovered that threat actors primarily exploited an authentication bypass flaw in FortiOS, tracked as CVE-2022-40684, to gain initial access. Other indicators of compromise used in the Volt Typhoon campaign included admin accounts named fortinet-tech-support and fortigate-tech-support.

Last month, Microsoft Threat Intelligence warned that Volt Typhoon was actively targeting U.S. critical infrastructure in a cyberespionage campaign. The group achieved initial access through vulnerable Fortinet FortiGuard devices. Microsoft found that the evasion techniques Volt Typhoon uses make it hard for enterprises to detect and mitigate attacks because the attackers primarily live off the land rather than use malware.

While Fortinet said it hasn't observed the Volt Typhoon campaign exploiting CVE-2023-27997, the vendor believes the threat actor might take advantage of the critical flaw soon.

"At this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign, however Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices," the blog post read. "For this reason, Fortinet urges immediate and ongoing mitigation through an aggressive patching campaign."

TechTarget Editorial contacted Fortinet for additional information, but the vendor provided a statement similar to the advisory and blog:

We published a PSIRT [Product Security Incident Response Team] advisory (FG-IR-23-097) on June 12th that details recommended next steps regarding CVE-2023-27997. Fortinet continues to monitor the situation and has been proactively communicating to customers, strongly urging them to immediately follow the guidance provided to mitigate the vulnerability using either the provided workarounds or by upgrading. As follow-up to this, we have shared additional detail and clarifications to help our customers make informed, risk-based decisions regarding CVE-2022-27997 in this blog. For more information, please refer to the blog and advisory.

It remains unclear if Fortinet observed exploitation activity, as the vendor did not confirm whether CVE-2023-27997 is being actively exploited. Potential threat groups attributed to the exploitation remain unknown as well.

Fortinet recommends customers immediately patch their systems and review logs for evidence of exploit for CVE-2022-40684, which was observed in the previous Volt Typhoon campaign.

Rapid7 President Andrew Burton criticized Fortinet's lack of transparency in response to CVE-2023-27997. In a blog post Monday, Burton said Fortinet silently patched the flaw on June 9, a consistent problem he's observed with the vendor.

"The company has a history of issuing security patches prior to disclosing critical vulnerabilities. Presumably, this policy is meant to give customers time to update their devices before threat actors exploit flaws, but in practice, it gives attackers a head start on attack development while keeping vulnerable organizations in the dark," Burton wrote.

Arielle Waldman is a Boston-based reporter covering enterprise security news.