Black Arrow Cyber Advisory - 12 June 2023 – Organisations Urged to Address Critical Vulnerabilities Found Fortinet and PaperCut Products
Executive summary
A recent report has highlighted the most notable software vulnerabilities in the first half of 2023, which included 2 critical actively exploited vulnerabilities in PaperCut MF and NG and Fortinet FortiOS products. This comes as Fortinet have recently released a patch for a separate critical vulnerability in FortiOS. All three vulnerabilities allow an attacker to remotely execute unauthorised code and compromise the confidentiality, integrity and availability of data.
Fortinet
CVE-2023-27997 – This recent critical vulnerability targets an secure socket layer virtual private network (SSL-VPN) flaw which allows an unauthenticated attacker remote code execution and to interfere with VPN connections even if Mulit-Factor Authentication (MFA) is in place. SSL-VPN is used to allow users to establish a secure, encrypted connection between the public internet and the corporate network.
CVE-2022-41328 – This is a vulnerability in improper limitation of a pathname, allowing an attacker to access restricted files with read and write access. Exploitation allows the attacker to remotely install and execute malware.
What can I do?
Fortinet has released fixes that address the vulnerability CVE-2023-27997. Customers must immediately apply the firmware updates as a matter of urgency. The following versions of FortiOS include patches for the vulnerability: 7.2.5, 7.0.12, 6.4.13, 6.2.15. An advisory has not been publicly announced yet. Results from Shodan indicate around 250,000 publicly discoverable devices are vulnerable.
For CVE-2022-41328, customers are recommended to update the affected products immediately as this is being actively exploited.
Affected products include:
- FortiOS version 7.2.0 through 7.2.3 (Patched in version 7.2.4 or above)
- FortiOS version 7.0.0 through 7.0.9 (Patched in version 7.0.10 or above)
- FortiOS version 6.4.0 through 6.4.11 (Patched in version 6.4.12 or above)
- FortiOS version 6.2.0 through 6.2.13 (Patched in version 6.2.14 or above)
- FortiOS 6.0 all versions (No longer supported)
PaperCut
CVE – 2023-27350 – This vulnerability allows an unauthenticated attacker to pull information about a user stored within PaperCut MF or NG. This data includes usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut created users only.
The following PaperCut MF and NG versions and components are affected by CVE-2023-27350 on all OS platforms:
- version 8.0.0 to 19.2.7
- version 20.0.0 to 20.1.6
- version 21.0.0 to 21.2.10
- version 22.0.0 to 22.0.8
What can I do?
PaperCut has recommended that customers upgrade all application servers and site servers and to patch any of the affected products. This vulnerability has been addressed in Papercut MF and NG versions 20.1.7, 21.2.11, and 22.0.9 and later.
Further details on the Fortinet vulnerability can be found here:
Further details on the Fortinet CVE-2022-41328 vulnerability can be found here:
https://www.fortiguard.com/psirt/FG-IR-22-369
Further details on the PaperCut vulnerability can be found here: