Warning of Critical Vulnerability in Fortinet Products
The National Cyber Security Centre SK-CERT warns of a new critical vulnerability in the FortiOS operating system included in various Fortinet products. Fortinet products are widely used by organizations in the Slovak cyberspace, including operators of essential services.
The warning is issued by the National Security Authority pursuant to Article 27(1) a) of the .
The vulnerability is located in the SSL VPN web user interface (not in the administration interface) and affects all devices with non-current firmware that have a VPN port accessible on the Internet. It is assumed that in order to exploit it, it is not necessary to use the SSL VPN service as such on the device. Remote code execution allows exploitation of the vulnerability and complete breach of confidentiality, integrity and availability.
The vulnerability has not yet been officially announced by the manufacturer, but is widely communicated in the security community and is tracked as CVE-2023-27997. The fix for this vulnerability is in the latest versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, 7.2.5, released on Friday, 9 June 2023. The manufacturer is expected to officially comment on this vulnerability on Tuesday, 13 June 2023. SK-CERT estimates that this vulnerability may reach a CVSS score of up to 10.0.
This vulnerability can be exploited without any authentication, so even a properly configured multi-factor authentication will not prevent it.
This is another critical vulnerability in the SSL VPN component after December warning of different critical vulnerability in the same product.
RECOMMENDATIONS
The National Cyber Security Centre SK-CERT strongly recommends the following:
- immediately update the firmware to the latest available version, but at least to versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, 7.2.5. If the update is not possible, switch off the device. In this case, it is not recommended to wait for a regular update due to high risk;
- change all keys, passwords and VPN accesses on the affected device after update;
- search for internal addresses of the affected device in the logs of the devices on the local network (servers, workstations) and assess whether the communication is legitimate. If you find suspicious connections (e.g. port scans, login attempts, web application enumeration), assume compromise and launch a full incident response;
- if possible, identify network connections from the Internet to the SSL VPN on an independent device and compare with legitimate user connections. If this leads to identification of communications with an external IP address that did not belong to a legitimate VPN connection and more than 10 kB of data was transferred within the connection, assume compromise and launch a full incident response;
- in the event of a cybersecurity incident detection, report the incident to the National Cyber Security Centre SK-CERT at [email protected].
« Späť na zoznam