Fortinet squashes hijack-my-VPN bug in FortiOS gear

Fortinet has patched a captious bug successful its FortiOS and FortiProxy SSL-VPN that tin beryllium exploited to hijack nan equipment.

The distant codification execution vulnerability, tracked arsenic CVE-2023-27997, was spotted and disclosed by Lexfo information analysts Charles Fol and Dany Bach.

Fortinet has warned nan bug looks to person been exploited successful nan chaotic already. The information flaw lies wrong nan SSL-VPN, truthful if you person that enabled, you are perchance susceptible to attack.

"This is reachable pre-authentication, connected each SSL VPN appliance," Fol tweeted, adding that Fortinet has released aggregate updates for FortiOS and FortiProxy to adjacent nan SSL-VPN hole. Admins should get patching ASAP earlier much exploits are developed; an attacker conscionable needs to beryllium capable to scope nan instrumentality to utilization it, disrupt traffic, and research nan remainder of nan firm network.

You tin find a database of affected products and their updates here. The bug, a heap buffer overflow, is rated 9.2 retired of 10 successful position of severity.

"The flaw would let a dispute supplier to interfere via nan VPN, moreover if nan MFA is activated," French managed information services supplier Olympe Cyberdefense added successful its ain advisory.

Info disposable now

Fortinet did not respond to The Register's questions astir nan vulnerability. Both Fol and Lexo promised much details astatine a later time.

In nan meantime, there's a write-up here connected Fortinet's website regarding CVE-2023-27997 that you should cheque retired if you usage immoderate affected FortiOS gear.

On that page, nan developer noted nan CVE-2023-27997 vulnerability – which it tracks arsenic FG-IR-23-097 – whitethorn person been abused successful nan wild:

Fortinet disclosed an SSL-VPN flaw successful December, for what it's worth, and astatine nan clip said it was alert of "an instance" wherever nan bug had been exploited. That vulnerability, CVE-2022-42475, was a captious heap-based buffer overflow vulnerability successful FortiOS SSL-VPN, which could beryllium exploited to clang aliases perchance hijack equipment. 

A period later, nan information vendor admitted that nan 9.8-out-of-10 severity bug had been abused to infect authorities and government-related organizations pinch custom-made malware. 

While it didn't opportunity who was down nan attacks, Fortinet noted nan discovered samples looked to person been compiled "on a instrumentality successful nan UTC+8 timezone, which includes Australia, China, Russia, Singapore, and different Eastern Asian countries."

• Here's really Chinese cyber spies exploited a captious Fortinet bug
• Microsoft: Patch this terrible Outlook bug that Russian miscreants exploited
• Hold it – much vulnerabilities recovered successful MOVEit record transportation software
• Barracuda tells its ESG owners to 'immediately' junk buggy kit

Then successful March, details emerged of suspected Chinese spies making usage of different captious Fortinet bug, and besides utilizing civilization networking malware to bargain credentials and support web access.

Fortinet fixed that way transversal vulnerability successful FortiOS, tracked arsenic CVE-2022-41328, that month, and past a fewer days later released a much elaborate analysis. 

It indicated that miscreants were utilizing nan flaw successful an effort to onslaught ample organizations, bargain their data, and origin OS aliases record corruption: "The complexity of nan utilization suggests an precocious character and that it is highly targeted astatine governmental aliases government-related targets."

And successful a overmuch much elaborate study published later successful nan month, Mandiant pinned nan blasted connected Chinese hackers — pinch nan (then) FortiOS zero day, and "multiple" bespoke malware families. ®