How to find Fortinet SSL-VPN


What is Fortinet SSL-VPN? #

Fortinet SSL-VPN is a VPN capability offered in some Fortinet products, including FortiGate firewall devices. This service provides secured network communications between a remote client and protected devices on an internal network. Several modes of operation are supported, including "tunnel mode" (which requires use of the FortiClient VPN client) and "web mode" (which does not require client-side VPN software).

Latest Fortinet SSL-VPN vulnerability #

Fortinet warned customers this week of potential limited exploitation in the wild regarding a flaw affecting the SSL-VPN software component. This critical vulnerability (tracked as CVE-2023-27997) can be remotely exploited without authentication and can yield remote code or command execution to an attacker. Discovered by researchers Charles Fol and Dany Bach at LEXFO, disclosure-and-fix of this vulnerability coincided with an internal SSL-VPN audit-and-fix effort at Fortinet which covered this and five additional vulnerabilities.

What is the impact? #

Of the six disclosed vulnerabilities, CVE-2023-27997 is considered the most severe with a "critical" CVSS score of 9.2. This pre-authentication vulnerability is rooted in a heap-based buffer overflow, seemingly similar to CVE-2022-42475 which was disclosed earlier this year as also affecting SSL-VPN (and did have reported exploitation in the wild). Attackers can exploit this vulnerability via a specially crafted request.

The complete list of recently disclosed-and-fixed Fortinet SSL-VPN vulnerabilities is as follows:

  • CVE-2023-27997 (9.2, "critical) - pre-auth heap buffer overflow in SSL-VPN, exploitation could yield code/command execution
  • CVE-2023-29180 (7.3, "high") - null pointer dereference in SSLVPNd, exploitation could cause a denial-of-service condition by crashing SSLVPNd
  • CVE-2023-22640 (7.1, "high") - out-of-bounds write in SSLVPNd, exploitation could yield code/command execution
  • CVE-2023-29181 (8.3, "high") - format string bug in Fclicense daemon, exploitation could yield code/command execution
  • CVE-2023-29179 (6.4, "medium") - null pointer dereference in the SSLVPNd proxy endpoint, exploitation could cause a denial-of-service condition by crashing SSLVPNd
  • CVE-2023-22641 (4.1, "medium") - open redirect in SSLVPNd, exploitation could allow an attacker to redirect a user's browser to a malicious URL

Are updates available? #

Fortinet published new firmware versions a few days ahead of this disclosure. A variety of FortiOS, FortiOS-6K7K, and FortiProxy versions have been patched to fix the recently disclosed CVEs affecting SSL-VPN: CVE-2023-27997, CVE-2023-29180, CVE-2023-22640, CVE-2023-29181, CVE-2023-29179, CVE-2023-22641. Admins or owners of Fortinet appliances/products running affected firmware with SSL-VPN enabled should ensure they are updated to one of the newer firmware versions. If updating is not a near-term option, disabling the SSL-VPN service on affected appliances can mitigate the risk of exploitation.

How do I find potentially vulnerable Fortinet SSL-VPN instances with runZero? #

From the Services inventory, use the following prebuilt query to locate Fortinet SSL-VPN instances in your network:

_asset.protocol:http AND protocol:http AND (http.head.setCookie:="SVPNCOOKIE%SVPNNETWORKCOOKIE%" OR last.http.head.setCookie:="SVPNCOOKIE%SVPNNETWORKCOOKIE%")

Fortinet SSL-VPN query

Results from the above query should be triaged to verify those assets are running updated firmware versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Written by Pearce Barry

More about Pearce Barry
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find Palo Alto Network firewalls running PAN-OS 11.1, 11.0, and 10.2
Palo Alto Networks disclosed that versions of their PAN-OS software have a vulnerability allowing for remote command injection. Here's how to find...
Rapid Response
How to find CrushFTP services
CrushFTP disclosed that versions of their file transfer software have a vulnerability allowing unauthenticated file system access. Here's how to...
Rapid Response
How to find outdated lighttpd services
Outdated versions of the open source lighttpd web server are vulnerable to a handful of security vulnerabilities
Rapid Response
How to find D-Link NAS Storage devices
D-Link has disclosed multiple vulnerabilities in their D-Link NAS Storage products. Here's how to find potentially impacted devices.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved