www.fortinet.com
Open in
urlscan Pro
54.177.212.176
Public Scan
URL:
https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign
Submission: On June 13 via api from IN — Scanned from DE
Submission: On June 13 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
GET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>Text Content
Blog
* Categories
* Business & Technology
* FortiGuard Labs Threat Research
* Industry Trends
* Partners
* Customer Stories
* PSIRT Blogs
* Business & Technology
* FortiGuard Labs Threat Research
* Industry Trends
* Partners
* Customer Stories
* PSIRT Blogs
* CISO Collective
* Subscribe
PSIRT Blogs
ANALYSIS OF CVE-2023-27997 AND CLARIFICATIONS ON VOLT TYPHOON CAMPAIGN
By Carl Windsor | June 12, 2023
Affected Platforms: FortiOS
Impacted Users: Targeted at government, manufacturing, and critical
infrastructure
Impact: Data loss and OS and file corruption
Severity Level: Critical
Today, Fortinet published a CVSS Critical PSIRT Advisory (FG-IR-23-097 /
CVE-2023-27997) along with several other SSL-VPN related fixes. This blog adds
context to that advisory, providing our customers with additional details to
help them make informed, risk-based decisions, and provides our perspective
relative to recent events involving malicious actor activity.
The following write-up details our initial investigation into the incident that
led to the discovery of this vulnerability and additional IoCs identified during
our ongoing analysis.
INCIDENT ANALYSIS
Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January
11, 2023—where a heap-based buffer overflow in FortiOS SSL VPN with exploitation
was observed in the wild—the Fortinet Product Security Incident Response Team
(PSIRT) proactively initiated a code audit of the SSL-VPN module as part of our
commitment to product security and integrity. This audit, together with a
responsible disclosure from a third-party researcher, led to the identification
of certain issues that have been remediated in the current firmware releases.
Incident ID
NVD CVE
Product
Severity
Description
FG-IR-23-097
CVE-2023-27997
FortiOS
9.2 (Critical)
Heap buffer overflow in SSL-VPN pre-authentication
FG-IR-23-111
CVE-2023-29180
FortiOS
7.3 (High)
Null pointer de-reference in SSLVPNd
FG-IR-22-475
CVE-2023-22640
FortiOS
7.1 (High)
FortiOS - Out-of-bound-write in SSLVPNd
FG-IR-23-119
CVE-2023-29181
FortiOS
8.3 (High)
Format String Bug in Fclicense daemon
FG-IR-23-125
CVE-2023-29179
FortiOS
6.4 (Medium)
Null pointer de-reference in SSLVPNd proxy endpoint
FG-IR-22-479
CVE-2023-22641
FortiOS
4.1 (Medium)
Open redirect in SSLVPNd
Our investigation found that one issue (FG-IR-23-097) may have been exploited in
a limited number of cases and we are working closely with customers to monitor
the situation.
For this reason, if the customer has SSL-VPN enabled, Fortinet is advising
customers to take immediate action to upgrade to the most recent firmware
release. If the customer is not operating SSL-VPN the risk of this issue is
mitigated – however, Fortinet still recommends upgrading.
CLARIFICATIONS ON VOLT TYPHOON CAMPAIGN
Our own research, conducted in collaboration with our customers, has identified
that the Volt Typhoon campaign uses a variety of tactics, techniques, and
procedures (TTPs) to gain access to networks, including a widely used technique
known as “living off the land” to evade detection. The campaign appears to use
vulnerabilities for which patches exist, primarily FG-IR-22-377 / CVE-2022-40684
for initial access, as Indicators of Compromise – admin accounts name
`fortinet-tech-support` and `fortigate-tech-support` were found in customer
devices related to this campaign.
At this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign,
however Fortinet expects all threat actors, including those behind the Volt
Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely
used software and devices. For this reason, Fortinet urges immediate and ongoing
mitigation through an aggressive patching campaign.
RECOMMENDED ACTIONS
In addition to monitoring Security Advisories and the immediate patching of
systems, Fortinet strongly recommends the following:
* Review your systems for evidence of exploit of previous vulnerabilities
e.g. FG-IR-22-377 / CVE-2022-40684
* Maintain good cyber hygiene and follow vendor patching recommendations
* Follow hardening recommendations, e.g., FortiOS 7.2.0 Hardening Guide
* Minimize the attack surface by disabling unused features and managing devices
via an out-of-band method wherever possible
ADDITIONAL GUIDANCE
As a forward-looking security vendor, Fortinet’s Product Security Team is
constantly seeking ways to engage, inform, and encourage our customers to
institute mitigation best practices and to patch their systems.
If a customer should need additional guidance, they are advised to reach out to
customer support.
Please contact Fortinet Security via the Submission Form if you have any other
suggestions or feedback.
Fortinet continues to follow its PSIRT processes and best practices to best
mitigate the situation.
For details of the Fortinet PSIRT Policy:
https://www.fortiguard.com/psirt_policy.
Tags:
PSIRT
RELATED POSTS
PSIRT Blogs
UPDATE REGARDING CVE-2018-13379
PSIRT Blogs
APT 29 TARGETING SSL VPN FLAWS
PSIRT Blogs
FORTIOS AND SSL VULNERABILITIES
*
*
*
*
*
*
NEWS & ARTICLES
* News Releases
* News Articles
SECURITY RESEARCH
* Threat Research
* FortiGuard Labs
* Threat Map
* Ransomware Prevention
CONNECT WITH US
* Fortinet Community
* Partner Portal
* Investor Relations
* Product Certifications
COMPANY
* About Us
* Exec Mgmt
* Careers
* Training
* Events
* Industry Awards
* Social Responsibility
* CyberGlossary
* Sitemap
* Blog Sitemap
CONTACT US
* (866) 868-3678
Subscribe
Copyright © 2023 Fortinet, Inc. All Rights Reserved
Terms of Services Privacy Policy | Cookie Settings
Also of Interest
* DOJ & Top Security Threats
* Pay Ransomware Settlements?
* Why ZTNA in the Cloud Isn't Enough
* Converging NOC & SOC starts with FortiGate
COOKIE PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* FUNCTIONAL COOKIES
* TARGETING COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking certain cookies in the Functional category may impact your
experience of the site and the services we are able to offer. privacy policy
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They are based on uniquely identifying your
browser and internet device. If you do not allow these cookies, you will
experience less targeted advertising.
Cookies Details
BACK BUTTON BACK
Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
* 33ACROSS
33ACROSS
View Third Party Cookies
* Name
cookie name
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All
COOKIE SETTINGS
By clicking “Accept All”, you agree to use of cookies on your device to enhance
site functionality, analyze site usage, and assist in our marketing efforts. The
Cookies Settings link has cookie-specific detail and preference options. privacy
policy
Reject All Accept All
Cookies Settings