Over 300,000 FortiGate firewalls are currently got exposure to a severe security flaw known as CVE-2023-27997. Despite Fortinet’s release of an update to address the issue. The vulnerability having severity score of 9.8 out of 10, involves a heap-based buffer overflow problem in FortiOS. This operating system integrates various Fortinet networking components into the Security Fabric platform.
Exploitable Remote Code Execution FortiOS Bug
CVE-2023-27997 permits unauthenticated attackers to execute code remotely on vulnerable devices with the SSL VPN interface exposed on the web. Fortinet cautioned in a mid-June advisory that attacks may have already exploited the flaw. Fortinet promptly released FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 on June 11 to address the vulnerability.
Failure to Patch Leaves Firewalls at Risk
Despite the urgency to patch the vulnerability, offensive security solutions company Bishop Fox recently reveals over 300,000 FortiGate firewall appliances remain vulnerable. These are accessible through the public internet. Researchers at Bishop Fox utilized the Shodan search engine to identify devices that exhibits of an exposed SSL VPN interface. By examining the HTTP response headers, they filtered the results to identify appliances redirecting to ‘/remote/login,’ which indicated an exposed SSL VPN interface.
High Number of Vulnerable Firewalls – FortiOS
Out of the 489,337 devices identified in the search, not all were found to be susceptible to CVE-2023-27997, also known as Xortigate. Further investigation by the researchers discovered that approximately 153,414 of the identified appliances had been updated to a secure version of FortiOS.
This indicates that around 335,900 FortiGate firewalls, accessible online, remain vulnerable to potential attacks. This number significantly surpasses the previous estimate of 250,000 based on less accurate queries. Bishop Fox researchers emphasize promptly patching vulnerable firewalls to mitigate the risk.
Long-Term Neglect of Security Updates
Researchers at Bishop Fox also found that many of the exposed FortiGate devices had not received any updates over the past eight years. Some devices were still running FortiOS 6, which reached its end of support on September 29 of the previous year. As a result, these devices are vulnerable to various critical-severity flaws, some of which have publicly available proof-of-concept exploit code.
Remote Code Execution Exploit
To demonstrate the potential impact of CVE-2023-27997, Bishop Fox developed an exploit that effectively executes remote code on susceptible devices. This exploit involves smashing the heap, establishing a connection to an attacker-controlled server, downloading a BusyBox binary, and opening an interactive shell. In their report, Bishop Fox acknowledges that their exploit closely follows the steps outlined in the original blog post by Lexfo. Moreover, their exploit runs much faster than the demonstration video shown by Lexfo, completing within approximately one second on a 64-bit device.
