CVE-2023-27997: Fortinet FortiGate SSL-VPN — Pre-Auth Heap Overflow RCE

Background

Fortinet FortiGate, powered by FortiOS, is one of the most deployed enterprise network security platforms globally, with millions of units in production at enterprises, service providers, and government agencies. The SSL-VPN feature is a core component widely used for remote access, making the attack surface extremely broad.

CVE-2023-27997 is a pre-authentication heap overflow discovered by security researchers Charles Fol and Théo Bertrand at Lexfo (who named it “XORtigate”) and disclosed in June 2023 with a CVSS score of 9.8. Fortinet’s advisory acknowledged the “potential to be exploited” before the patch was released. Post-disclosure analysis confirmed that this was a variant of the heap overflow underlying CVE-2022-42475 — Fortinet had patched the earlier version but left a related code path vulnerable.

Technical Mechanism

CVE-2023-27997 is a heap-based buffer overflow in the SSL-VPN pre-authentication code path. The vulnerability resides in how FortiOS handles SSL-VPN connection requests before any authentication occurs.

The affected component processes SSL handshake data and session setup parameters during VPN tunnel establishment. Specifically, the code copies user-supplied data into a heap-allocated buffer. The allocation size is calculated based on one set of parameters, but the copy operation uses a different (larger) size derived from attacker-controlled input — a classic heap overflow setup:

// Simplified vulnerable pattern (conceptual)
int alloc_size = calculate_initial_size(params);
char *buffer = malloc(alloc_size);

// Later in processing:
int copy_size = get_input_size(ssl_packet);  // Attacker-controlled, can exceed alloc_size
memcpy(buffer, ssl_packet_data, copy_size);  // Heap overflow

The overflow corrupts adjacent heap chunks. In the Fortinet environment, researchers discovered that the heap layout is somewhat predictable because the SSL-VPN daemon allocates specific data structures in a consistent order. By crafting the overflow payload carefully:

1. A first connection sets up the heap in a known state
2. A second connection triggers the overflow, corrupting a specific adjacent structure
3. The corrupted structure contains a function pointer that is subsequently called
4. The attacker-controlled pointer redirects execution to a shellcode payload

The exploit bypasses ASLR to a degree through heap spray and grooming techniques. The XORtigate name refers to researchers’ observation that Fortinet XOR-encodes certain SSL VPN cookies — researchers decoded this to understand the session handling code.

Fortinet uses a custom Linux-based OS with proprietary modifications, and the SSL-VPN daemon runs with elevated privileges, providing RCE in an advantaged context.

Real-World Exploitation Evidence

Despite initial attribution of exploitation to a “limited number of cases,” post-advisory analysis revealed broader exploitation:

• Volt Typhoon (China): US government joint advisory in May 2023 specifically called out Chinese state-sponsored actors exploiting Fortinet vulnerabilities (including predecessors to CVE-2023-27997) to target US critical infrastructure in pre-positioning campaigns.
• Ransomware groups: Akira ransomware was documented exploiting CVE-2023-27997 for initial access, followed by data exfiltration and encryption. Akira has shown a strong preference for Fortinet VPN vulnerabilities throughout 2023-2024.
• Initial access brokers: Multiple underground forums showed Fortinet VPN access being sold, with some sellers advertising CVE-2023-27997 exploitation capability.

Security firm Bishop Fox published a detailed analysis showing that 300,000+ FortiGate SSL-VPN appliances remained unpatched weeks after the advisory, representing an enormous persistent attack surface.

Impact Assessment

Pre-authentication RCE on a perimeter firewall/VPN appliance represents one of the most severe possible breach scenarios:

• No credentials needed: Any attacker with TCP connectivity to the SSL-VPN port (443 or 10443) can attempt exploitation.
• Root access to firewall: RCE in the SSL-VPN daemon context gives attackers ability to modify firewall rules, create new VPN accounts, and access encrypted traffic.
• Internal network pivot: The firewall is positioned at the network boundary with routing access to all internal segments.
• Credential harvesting: VPN authentication credentials and configuration-stored secrets are accessible post-exploitation.
• Persistence mechanisms: Attackers can modify FortiOS configuration, add administrator accounts, or install implants that survive routine security checks.

Affected Versions

Remediation Steps

1. Apply patches immediately: Update FortiOS to the fixed versions. This is the only complete remediation.

2. Disable SSL-VPN (if not in use or as interim measure):

   config vpn ssl settings
       set status disable
   end

3. Restrict access to SSL-VPN: Limit VPN endpoint accessibility using Fortinet’s local-in policy:

   config firewall local-in-policy
       edit 1
           set intf "wan1"
           set srcaddr [ALLOWED_IP_RANGE]
           set dstaddr "all"
           set service "HTTPS"
           set action accept
       next
   end

4. Review for compromise: Check for:

   • Unexpected local admin accounts: show system admin
   • Unexpected VPN user accounts: show vpn ssl settings
   • Modified configuration files in /data/ partition

5. Enable FortiGuard threat feeds: Ensure IPS signatures covering CVE-2023-27997 exploitation are active and up to date.

Detection Guidance

Log sources:

• FortiGate event log: Log & Report > System Events
• VPN event log: Log & Report > Events > VPN Events
• System log via CLI: diagnose log test

CLI diagnostic commands:

# Check for unexpected admin accounts
get system admin

# Check SSL-VPN configuration for unexpected settings
get vpn ssl settings

# Check currently connected VPN sessions
diagnose vpn ssl list

Indicators of Compromise:

• SSL-VPN crash/restart events in system logs preceding unknown connection events
• New or modified administrator accounts created outside normal change windows
• Configuration changes to firewall policies not matching change management records
• Unexpected outbound connections from the FortiGate management IP

Suricata signature:

alert ssl $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Fortinet FortiOS CVE-2023-27997 Heap Overflow Probe"; flow:established,to_server; ssl.state:client_hello; dsize:>4096; threshold:type both, track by_src, count 5, seconds 30; sid:9000279; rev:1;)

Timeline