In this advisory we provide information around another Fortinet bug and also guidance in relation to the recent Barracuda email security gateway appliance hack.
FortiOS FortiGate SSL-VPN RCE vulnerability
A vulnerability has been discovered that affects FortiOS FortiGate devices with SSL-VPN enabled.
Allocated CVE-2023-27997, the vulnerability “is reachable pre-authentication (without any login needed), on every [Fortinet] SSL VPN appliance” according to research from Charles Fol of French offensive security firm Lexfo Security.
This vulnerability allows for an attacker to run unauthorised code or commands remotely on the affected system.
Impacted Version(s)
All FortiGate devices running FortiOS with SSL-VPN enabled are potentially at risk.
Mitigation/ Remediation Strategies
Upgrade devices running FortiOS to the latest version as soon as possible.
Security fixes were included in FortiOS firmware versions released on Friday, 9 June 2023. Fixed versions of FortiOS are:
6.0.17
6.2.15
6.4.13
7.0.12
7.2.5
Barracuda ESG appliances
Barracuda Networks is advising customers to immediately replace hacked Email Security Gateway (ESG) appliances, even if they have installed all available patches (following the original announcement).
Since the original 18 May 2023 announcement, there has been evidence that appliances may have been compromised since October 2022.
Impacted Version(s)
The vulnerability tracked as CVE-2023-2868 and described as a remote command injection issue, impacts Email Security Gateway (ESG) appliances running versions 5.1.3.001 through 9.2.0.006.
Mitigation/ Remediation Strategies
Previous guidance was to install the updates and patches released by Barracuda, however this has since been revised to a complete replacement of the impacted appliances.