⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2023-07-04.

CVE-2023-27997

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write18 documents11 sources

Severity

9.8CRITICAL

EPSS

89.1%

top 0.47%

CISA KEV

KEVRansomware

Added 2023-06-13

Due 2023-07-04

Exploit

Exploited in wild

Active exploitation observed

Affected products

Fortinet Fortios Fortinet Fortios-6k7k Fortinet Fortiproxy

Timeline

PublishedJun 13

KEV addedJun 13

KEV dueJul 4

Latest updateJul 5

CISA Required Action: Apply updates per vendor instructions.

Description

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5fortinet/fortios7.2.0 — 7.2.4+4

▶NVDfortinet/fortios6.0.0 — 6.0.16+17

▶CVEListV5fortinet/fortiproxy7.2.0 — 7.2.3+4

▶NVDfortinet/fortiproxy1.1.0 — 1.1.6+4

▶CVEListV5fortinet/fortios-6k7k6.2.9 — 6.2.13+11

🔴Vulnerability Details

GHSA

GHSA-2hj2-fcr9-9p35: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7↗2023-06-13

▶

CVEList

CVE-2023-27997: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7↗2023-06-13

▶

VulnCheck

Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability↗2023

▶

🔍Detection Rules

Suricata

ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/error (CVE-2023-27997)↗2023-07-05

▶

Suricata

ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/logincheck (CVE-2023-27997)↗2023-06-13

▶

Suricata

ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M1↗2023-06-13

▶

Suricata

ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/hostcheck_validate (CVE-2023-27997)↗2023-06-13

▶

Suricata

ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/logincheck (CVE-2023-27997)↗2023-06-13

▶

📋Vendor Advisories

CISA

Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability↗2023-06-13

▶

Fortinet

Heap buffer overflow in sslvpn pre-authentication↗2023-06-13

▶

🕵️Threat Intelligence

Fortinet

Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog↗2023-06-12

▶

Recorded Future

Fortinet CVE-2023-27997: Impact and Mitigation Techniques↗

▶

Recorded Future

Fortinet CVE-2023-27997: Impact and Mitigation Techniques↗

▶

Huntress

CVE-2023-27997 Vulnerability: Analysis, Impact, Mitigation | Huntress↗

▶