CVE-2023-27997: 
FortiOS vulnerability analysis and mitigation

A critical heap-based buffer overflow vulnerability (CVE-2023-27997) was discovered in Fortinet's FortiOS and FortiProxy SSL-VPN components. The vulnerability was disclosed on June 12, 2023, affecting multiple versions of FortiOS (versions 7.2.4 and below, 7.0.11 and below, 6.4.12 and below, 6.0.16 and below) and FortiProxy (versions 7.2.3 and below, 7.0.9 and below, 2.0.12 and below, 1.2 and 1.1 all versions). This pre-authentication vulnerability could allow remote attackers to execute arbitrary code or commands via specifically crafted requests (Fortinet Advisory).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) in the SSL-VPN component. It received a Critical CVSS v3.1 base score of 9.8, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows remote attackers to execute arbitrary code or commands on affected systems. There have been confirmed instances where this vulnerability was exploited to download configuration files from targeted devices and add malicious super_admin accounts (Rapid7).

Fortinet recommends upgrading to patched versions: FortiOS version 7.4.0 or above, 7.2.5 or above, 7.0.12 or above, 6.4.13 or above, 6.2.14 or above, or 6.0.17 or above. For FortiProxy, upgrade to version 7.2.4 or above, 7.0.10 or above, or 2.0.13 or above. If immediate patching is not possible, the recommended workaround is to disable SSL-VPN (Fortinet Advisory).

The vulnerability has gained significant attention due to its critical nature and active exploitation. The discovery was credited to Charles Fol and Dany Bach from LEXFO under responsible disclosure. The U.S. government released a security bulletin highlighting state-sponsored threat actors gaining access to networks via Fortigate devices (Rapid7).