In this article:
If your organization or your vendors use Fortinet FortiGate appliances, see this guidance for addressing a critical vulnerability in the operating system for these products.
Understand the vulnerability and its risk
On June 12, 2023, Fortinet published an advisory about CVE-2023-27997, a critical vulnerability in FortiOS, the operating system for FortiGate firewalls and virtual private networks (VPNs). A heap-based buffer overflow occurred in the SSL-VPN module.
Unauthenticated threat actors can exploit this flaw and execute arbitrary code, meaning they can run any malicious code they want on affected systems. For example, they can access sensitive data or manipulate files.
Threat actors, such as the Chinese advanced persistent threat (APT) group Volt Typhoon, have been known to exploit the Fortinet vulnerability, targeting governments and organizations worldwide.
Find out if you or your vendors are affected and take action
Find devices in your domain or a vendor's domain running FortiGate products
Use Attack Surface Intelligence to find all Fortinet appliances hosting an SSL certificate issued by FortiGate that our sensors have collected.
In the SecurityScorecard top navigation menu, select Modules and then Attack Surface Intelligence.
Run the following queries in the top search bar.
Tip: Learn more about creating queries in Attack Surface Intelligence.
- Identify all devices with FortiGate SSL certificates globally:
ssl_issuer_cn:'FortiGate'
- Identify all devices with FortiGate SSL certificates by country:
(and ssl_issuer_cn:'FortiGate' country:'US')
- Identify all devices with FortiGate SSL certificates for a single domain (Replace "example.com" with an actual domain name.):
(and ssl_issuer_cn:'FortiGate' attributed_domain:'example.com')
- Identify all devices with FortiGate SSL certificates for multiple domains (Replace "example*.com" with actual domain names.):
(and ssl_issuer_cn:'FortiGate' attributed_domain:'example.com' attributed_domain:'example2.com' attributed_domain:example3.com)
- Identify all devices with FortiGate SSL certificates by industry, for example, the "GOVERNMENT" industry (See all possible industries you can query for.):
(and ssl_issuer_cn:'FortiGate' industry:'GOVERNMENT')
Test exposed FortiGate devices for the vulnerability
Use the BishopFox CVE-2023-27997 Testing Tool an open-source Python script, to help to determine whether a FortiGate device is vulnerable, patched, or affected by another issue.
We recommend exporting lists of FortiGate IP addresses related to your organization as returned by your Attack Surface Intelligence queries, and then running the Python script to test the identified IP addresses.
Important: Only run the Bishop Fox tool on assets you own or have permission to test, such as devices on your own network or those belonging to vendors and partners with whom you have existing relationships and agreements. Or, if your Attack Surface Intelligence queries indicate that your vendors and partners use FortiGate devices, ask them them to perform the test on their own assets.
Please contact your account manager if you have questions or need support in surfacing potentially vulnerable systems with Attack Surface Intelligence.
Click here for more information or to request a demo of SecurityScorecard’s context-rich threat data platform, Attack Surface Intelligence.
Note: See Fortinet's advisory for a list of all product versions affected by this vulnerability.
Remediate the vulnerability
See the Fortinet advisory for remediation guidance.
Get help from our incident response team
If you think you or any of your vendors have been attacked because of an exploit of the Fortinet vulnerability, call the SecurityScorecard Incident Response team at +1 800-682-1707 and select option 0.