Fortinet fixes critical RCE bug in Fortigate SSL VPNs (June 2023)

Sicherheit (Pexels, allgemeine Nutzung)[German]Fortinet has released an update to the firmware for its Fortigate SSL VPNs on June 9, 2023. But they don't think they mentioned that this firmware update should be installed urgently, as it closes a critical RCE vulnerability in the Fortigate SSL VPNs. The issue has come to my attention on Twitter as well as being reported by blog readers.


Advertising

Blog reader Martin H. notified me in a private message on Facebook about this firmware updates:

You've probably already seen it, but Fortinet really drives you crazy. It's too much to ask to send a simple message to your partners with the text "Urgent patching! We will explain why later". Why do you have to read that on your site or any other site. It really can't be.

I had seen the topic on Twitter because some security experts are "doing a cartwheel" about this right now because Fortinet didn't publish any warning or notice there. Last Friday, security updates were released for FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12 and 7.2.5. Will Dormann picks it up in the following tweet:

Fortinet FortiOS updates

It has come to his attention that FortiOS versions 7.2.5, 7.0.12, 6.4.13, 6.2.15, 6.0.17 fix the critical remote code execution vulnerability CVE-2023-27997. The tweet indicates that there are no PSIRT releases from Fortinet (the screenshot shows that the last security alert is dated May 2023).

OLYMPE security specialists pointed out that the updates close a critical RCE vulnerability. The vulnerability allows an attacker to infiltrate via the VPN even if MFA is enabled. In another tweet, Will Dormann criticizes Fortinet's practice of releasing the updates without further explanation (basically, the updates should have been applied urgently on Friday).


Advertising

Fortinet FortiOS updates

The colleagues at Bleeping Computer picked up on the issue in this article after being contacted by a security researcher Charles Fol, who pointed out the vulnerability. I then came across the following tweet, which takes up the issue and briefly links to Shodan.

There are 635,500 IP addresses of corresponding devices listed worldwide. In the U.S., 199,500 units are listed. In response to reports from Bleeping Computer and The Hacker News, Fortinet has responded as follows:

Timely and ongoing communications with our customers is a key component in our efforts to best protect and secure their organization. There are instances where confidential advance customer communications can include early warning on Advisories to enable customers to further strengthen their security posture, prior to the Advisory being publicly released to a broader audience. This process follows best practices for responsible disclosure to ensure our customers have the timely information they need to help them make informed risk-based decisions. For more on Fortinet's responsible disclosure process, visit the Fortinet Product Security Incident Response Team (PSIRT) page.


Advertising

This entry was posted in Security, Software, Update and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).