Fortinet releases patch for remote code execution bug in FortiOS and VPN

Fortinet has released a patch for a remote code execution vulnerability in its FortiOS firmware and VPN service. It is not known exactly what the bug entails, but researchers say it allows remote code execution on devices.

The bug is tracked as CVE-2023-27997, but no official details have been made public yet. Fortinet tracks the bug itself as FG-IR-23-097. However, there are several security agencies and companies that claim to have more information about the leak available. Like this writes the Australian Cybersecurity Center that the vulnerability makes it possible to gain privileges on a machine that can execute code. The vulnerability was found by a security researcher, but due to the responsible disclosure process, he has not yet published any details. Fortinet says the vulnerability a heap based buffer overflow is, but that company also provides no further details.

According to Fortinet The vulnerability affects any version of FortiOS between FortiOS-6K7K 6.0.10 and 7.0.10, and FortiOS 6.0.16 and 7.2.4. In the VPN service FortiProxy, the vulnerability is in 1.1 and 1.2, 2.0.0 to 2.0.12, and between 7.0.0 and 7.2.3.

Fortinet itself says that the vulnerability is actively abused. That would happen in the Volt Typhoonmalware campaign. This is a hacker group that mainly focuses on critical telecom infrastructure in the United States and Asia. The attackers often enter via Fortinet equipment and then use living off the land technology to mainly steal information and carry out espionage activities.