www.fortinet.com
Open in
urlscan Pro
54.177.212.176
Public Scan
URL:
https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign
Submission: On June 13 via api from IN — Scanned from DE
Submission: On June 13 via api from IN — Scanned from DE
Form analysis
1 forms found in the DOMGET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>
Text Content
Blog * Categories * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Partners * Customer Stories * PSIRT Blogs * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Partners * Customer Stories * PSIRT Blogs * CISO Collective * Subscribe PSIRT Blogs ANALYSIS OF CVE-2023-27997 AND CLARIFICATIONS ON VOLT TYPHOON CAMPAIGN By Carl Windsor | June 12, 2023 Affected Platforms: FortiOS Impacted Users: Targeted at government, manufacturing, and critical infrastructure Impact: Data loss and OS and file corruption Severity Level: Critical Today, Fortinet published a CVSS Critical PSIRT Advisory (FG-IR-23-097 / CVE-2023-27997) along with several other SSL-VPN related fixes. This blog adds context to that advisory, providing our customers with additional details to help them make informed, risk-based decisions, and provides our perspective relative to recent events involving malicious actor activity. The following write-up details our initial investigation into the incident that led to the discovery of this vulnerability and additional IoCs identified during our ongoing analysis. INCIDENT ANALYSIS Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023—where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild—the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module as part of our commitment to product security and integrity. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of certain issues that have been remediated in the current firmware releases. Incident ID NVD CVE Product Severity Description FG-IR-23-097 CVE-2023-27997 FortiOS 9.2 (Critical) Heap buffer overflow in SSL-VPN pre-authentication FG-IR-23-111 CVE-2023-29180 FortiOS 7.3 (High) Null pointer de-reference in SSLVPNd FG-IR-22-475 CVE-2023-22640 FortiOS 7.1 (High) FortiOS - Out-of-bound-write in SSLVPNd FG-IR-23-119 CVE-2023-29181 FortiOS 8.3 (High) Format String Bug in Fclicense daemon FG-IR-23-125 CVE-2023-29179 FortiOS 6.4 (Medium) Null pointer de-reference in SSLVPNd proxy endpoint FG-IR-22-479 CVE-2023-22641 FortiOS 4.1 (Medium) Open redirect in SSLVPNd Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation. For this reason, if the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release. If the customer is not operating SSL-VPN the risk of this issue is mitigated – however, Fortinet still recommends upgrading. CLARIFICATIONS ON VOLT TYPHOON CAMPAIGN Our own research, conducted in collaboration with our customers, has identified that the Volt Typhoon campaign uses a variety of tactics, techniques, and procedures (TTPs) to gain access to networks, including a widely used technique known as “living off the land” to evade detection. The campaign appears to use vulnerabilities for which patches exist, primarily FG-IR-22-377 / CVE-2022-40684 for initial access, as Indicators of Compromise – admin accounts name `fortinet-tech-support` and `fortigate-tech-support` were found in customer devices related to this campaign. At this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign, however Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices. For this reason, Fortinet urges immediate and ongoing mitigation through an aggressive patching campaign. RECOMMENDED ACTIONS In addition to monitoring Security Advisories and the immediate patching of systems, Fortinet strongly recommends the following: * Review your systems for evidence of exploit of previous vulnerabilities e.g. FG-IR-22-377 / CVE-2022-40684 * Maintain good cyber hygiene and follow vendor patching recommendations * Follow hardening recommendations, e.g., FortiOS 7.2.0 Hardening Guide * Minimize the attack surface by disabling unused features and managing devices via an out-of-band method wherever possible ADDITIONAL GUIDANCE As a forward-looking security vendor, Fortinet’s Product Security Team is constantly seeking ways to engage, inform, and encourage our customers to institute mitigation best practices and to patch their systems. If a customer should need additional guidance, they are advised to reach out to customer support. Please contact Fortinet Security via the Submission Form if you have any other suggestions or feedback. Fortinet continues to follow its PSIRT processes and best practices to best mitigate the situation. For details of the Fortinet PSIRT Policy: https://www.fortiguard.com/psirt_policy. Tags: PSIRT RELATED POSTS PSIRT Blogs UPDATE REGARDING CVE-2018-13379 PSIRT Blogs APT 29 TARGETING SSL VPN FLAWS PSIRT Blogs FORTIOS AND SSL VULNERABILITIES * * * * * * NEWS & ARTICLES * News Releases * News Articles SECURITY RESEARCH * Threat Research * FortiGuard Labs * Threat Map * Ransomware Prevention CONNECT WITH US * Fortinet Community * Partner Portal * Investor Relations * Product Certifications COMPANY * About Us * Exec Mgmt * Careers * Training * Events * Industry Awards * Social Responsibility * CyberGlossary * Sitemap * Blog Sitemap CONTACT US * (866) 868-3678 Subscribe Copyright © 2023 Fortinet, Inc. All Rights Reserved Terms of Services Privacy Policy | Cookie Settings Also of Interest * DOJ & Top Security Threats * Pay Ransomware Settlements? * Why ZTNA in the Cloud Isn't Enough * Converging NOC & SOC starts with FortiGate COOKIE PREFERENCE CENTER * YOUR PRIVACY * STRICTLY NECESSARY COOKIES * PERFORMANCE COOKIES * FUNCTIONAL COOKIES * TARGETING COOKIES YOUR PRIVACY When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking certain cookies in the Functional category may impact your experience of the site and the services we are able to offer. privacy policy STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. Cookies Details PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. Cookies Details FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Cookies Details BACK BUTTON BACK Vendor Search Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label * 33ACROSS 33ACROSS View Third Party Cookies * Name cookie name Clear checkbox label label Apply Cancel Confirm My Choices Allow All COOKIE SETTINGS By clicking “Accept All”, you agree to use of cookies on your device to enhance site functionality, analyze site usage, and assist in our marketing efforts. The Cookies Settings link has cookie-specific detail and preference options. privacy policy Reject All Accept All Cookies Settings