What is Fortinet SSL-VPN? #

Fortinet SSL-VPN is a VPN capability offered in some Fortinet products, including FortiGate firewall devices. This service provides secured network communications between a remote client and protected devices on an internal network. Several modes of operation are supported, including "tunnel mode" (which requires use of the FortiClient VPN client) and "web mode" (which does not require client-side VPN software).

Latest Fortinet SSL-VPN vulnerability #

Fortinet warned customers this week of potential limited exploitation in the wild regarding a flaw affecting the SSL-VPN software component. This critical vulnerability (tracked as CVE-2023-27997) can be remotely exploited without authentication and can yield remote code or command execution to an attacker. Discovered by researchers Charles Fol and Dany Bach at LEXFO, disclosure-and-fix of this vulnerability coincided with an internal SSL-VPN audit-and-fix effort at Fortinet which covered this and five additional vulnerabilities.

What is the impact? #

Of the six disclosed vulnerabilities, CVE-2023-27997 is considered the most severe with a "critical" CVSS score of 9.2. This pre-authentication vulnerability is rooted in a heap-based buffer overflow, seemingly similar to CVE-2022-42475 which was disclosed earlier this year as also affecting SSL-VPN (and did have reported exploitation in the wild). Attackers can exploit this vulnerability via a specially crafted request.

The complete list of recently disclosed-and-fixed Fortinet SSL-VPN vulnerabilities is as follows:

  • CVE-2023-27997 (9.2, "critical) - pre-auth heap buffer overflow in SSL-VPN, exploitation could yield code/command execution
  • CVE-2023-29180 (7.3, "high") - null pointer dereference in SSLVPNd, exploitation could cause a denial-of-service condition by crashing SSLVPNd
  • CVE-2023-22640 (7.1, "high") - out-of-bounds write in SSLVPNd, exploitation could yield code/command execution
  • CVE-2023-29181 (8.3, "high") - format string bug in Fclicense daemon, exploitation could yield code/command execution
  • CVE-2023-29179 (6.4, "medium") - null pointer dereference in the SSLVPNd proxy endpoint, exploitation could cause a denial-of-service condition by crashing SSLVPNd
  • CVE-2023-22641 (4.1, "medium") - open redirect in SSLVPNd, exploitation could allow an attacker to redirect a user's browser to a malicious URL

Are updates available? #

Fortinet published new firmware versions a few days ahead of this disclosure. A variety of FortiOS, FortiOS-6K7K, and FortiProxy versions have been patched to fix the recently disclosed CVEs affecting SSL-VPN: CVE-2023-27997, CVE-2023-29180, CVE-2023-22640, CVE-2023-29181, CVE-2023-29179, CVE-2023-22641. Admins or owners of Fortinet appliances/products running affected firmware with SSL-VPN enabled should ensure they are updated to one of the newer firmware versions. If updating is not a near-term option, disabling the SSL-VPN service on affected appliances can mitigate the risk of exploitation.

How do I find potentially vulnerable Fortinet SSL-VPN instances with runZero? #

From the Services inventory, use the following prebuilt query to locate Fortinet SSL-VPN instances in your network:

_asset.protocol:http AND protocol:http AND (http.head.setCookie:="SVPNCOOKIE%SVPNNETWORKCOOKIE%" OR last.http.head.setCookie:="SVPNCOOKIE%SVPNNETWORKCOOKIE%")

Fortinet SSL-VPN query

Results from the above query should be triaged to verify those assets are running updated firmware versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Written by Pearce Barry

More about Pearce Barry
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find Citrix Virtual Apps and Desktops software on your network
Citrix has released an advisory for two vulnerabilities affecting Citrix Virtual Apps and Desktops software.
Rapid Response
How to find FortiManager instances on your network
How to find FortiManager instances on your network using runZero
Rapid Response
How to find SolarWinds Web Help Desk services on your network
CISA has announced that CVE-2024-28987 is actively being exploited in SolarWinds' Web Help Desk software. Here's how to find potentially affected...
Rapid Response
How to find SuperMicro BMCs
Supermicro released a vulnerability advisory for a critical CVE that allows for remote code execution (CVE-2024-36435). Here's how to find impacted...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved