DIVD-2023-00029 - Critical Fortinet SSL-VPN RCE Vulnerability

Our reference DIVD-2023-00029
Case lead Ralph Horn
Author Boaz Braaksma
Researcher(s)
CVE(s)
Product FortiOS-6K7K, FortiProxy, and FortiOS
Versions
  • FortiOS-6K7K version 7.0.10
  • FortiOS-6K7K version 7.0.5
  • FortiOS-6K7K version 6.4.12
  • FortiOS-6K7K version 6.4.10
  • FortiOS-6K7K version 6.4.8
  • FortiOS-6K7K version 6.4.6
  • FortiOS-6K7K version 6.4.2
  • FortiOS-6K7K version 6.2.9 through 6.2.13
  • FortiOS-6K7K version 6.2.6 through 6.2.7
  • FortiOS-6K7K version 6.2.4
  • FortiOS-6K7K version 6.0.12 through 6.0.16
  • FortiOS-6K7K version 6.0.10
  • FortiProxy version 7.2.0 through 7.2.3
  • FortiProxy version 7.0.0 through 7.0.9
  • FortiProxy version 2.0.0 through 2.0.12
  • FortiProxy 1.2 all versions
  • FortiProxy 1.1 all versions
  • FortiOS version 7.2.0 through 7.2.4
  • FortiOS version 7.0.0 through 7.0.11
  • FortiOS version 6.4.0 through 6.4.12
  • FortiOS version 6.2.0 through 6.2.13
  • FortiOS version 6.0.0 through 6.0.16
Recommendation Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory.
Patch status Fuly patched
Status Closed
Last modified 26 Sep 2023 12:02 CEST

Summary

Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023 (known to us as DIVD-2022-00063) where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild, the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of this new critical SSL-VPN RCE Vulnerability. According to a blog, posted by BishopFox, there were nearly 490,000 affected SSL VPN interfaces exposed on the internet on June 30th of 2023. Roughly 69% of them were at that time unpatched.

What you can do

Upgrade your SSL VPN instance to the latest version or apply the work-around: disable SSL VPN or only allow whitelisted IPs.

What we are doing

DIVD is currently scanning for vulnerable instances connected to the public internet. We would like to thank Fox-IT / NCC Group for the data on this vulnerability that we will use to notify owners of vulnerable systems. Owners of vulnerable systems will receive a notification with instructions to update their system.

Timeline

Date Description
09 Jun 2023 Fortinet released security fixes
09 Jun 2023 DIVD starts tracking this vulnerability
13 Jul 2023 Fortinet publishes security advisory
12 Jun 2023 DIVD starts researching fingerprint
13 Jun 2023 DIVD identifies vulnerable devices”
17 Jul 2023 Fox-IT/NCC Group shares data of more vulnerable devices with DIVD
17 Jul 2023 First version of this casefile
07 Aug 2023 First Mailrun.
26 Sep 2023 Case closed after monitoring phase.
gantt title DIVD-2023-00029 - Critical Fortinet SSL-VPN RCE Vulnerability dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00029 - Critical Fortinet SSL-VPN RCE Vulnerability (109 days) :2023-06-09, 2023-09-26 section Events Fortinet released security fixes : milestone, 2023-06-09, 0d DIVD starts tracking this vulnerability : milestone, 2023-06-09, 0d Fortinet publishes security advisory : milestone, 2023-07-13, 0d DIVD starts researching fingerprint : milestone, 2023-06-12, 0d DIVD identifies vulnerable devices” : milestone, 2023-06-13, 0d Fox-IT/NCC Group shares data of more vulnerable devices with DIVD : milestone, 2023-07-17, 0d First version of this casefile : milestone, 2023-07-17, 0d First Mailrun. : milestone, 2023-08-07, 0d Case closed after monitoring phase. : milestone, 2023-09-26, 0d

More information