Systems Engineering is aware of the following vulnerability in FortiOS.
CVE-2023-27997/ FG-IR-23-097: FortiOS & FortiProxy - Heap buffer overflow in Secure Socket Layer Virtual Private Network (SSL-VPN) pre-authentication.
FortiGuard has rated this vulnerability as a Critical risk.
Description
A heap-based buffer overflow vulnerability [CWE-122] has been found in FortiOS and FortiProxy SSL-VPN. A buffer overflow is a type of security vulnerability that occurs when an unauthenticated, remote attacker tries to send more amounts of data to a buffer (temporary data storage area) than it was designed to hold. This "overflow" of data can cause a vulnerable device to crash or allow an attacker to execute malicious code on the system.
Course of Action
We will be proactively patching for this vulnerability over the coming weeks for our SE Eventwatch, SE Essentials, and SE Secure clients.
Clients who do not have SE Eventwatch, SE Essentials, or SE Secure, we recommend you have your FortiGates patched for these vulnerabilities. If you would like our assistance with patching your Fortigate, please reach out to Systems Engineering Customer Service at 207.772.4199 to have a ticket opened to get your FortiGate updated.
