Description
A significant security issue, identified as CVE-2023-27997, has left hundreds of thousands of FortiGate firewalls vulnerable, even after Fortinet released a patch to address the problem almost a month ago.
The vulnerability, rated with a severity score of 9.8 out of 10, represents a critical remote code execution flaw. It stems from a heap-based buffer overflow issue within FortiOS, the operating system responsible for connecting various Fortinet networking components and integrating them into the vendor”s Security Fabric platform.
CVE-2023-27997 can be exploited by unauthorized attackers and allows them to remotely execute code on susceptible devices where the SSL VPN interface is exposed on the web. Fortinet cautioned that the vulnerability may have already been exploited in real-world attacks, underscoring the urgency for organizations to take prompt action.
Details
After Fortinet released the necessary patches on June 11, addressing the vulnerability (CVE-2023-27997), the details were not immediately made public. The firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 were released by Fortinet to mitigate the issue. However, concerning findings have been reported by offensive security solutions company Bishop Fox. Their recent analysis reveals that over 300,000 FortiGate firewall appliances remain susceptible to attacks and are accessible via the public internet.
To identify these vulnerable devices, Bishop Fox researchers employed the Shodan search engine. They specifically looked for devices that provided responses indicating the presence of an exposed SSL VPN interface. By examining the HTTP response headers, they focused on devices that redirected to the URL path “/remote/login,” which serves as a clear indicator of an accessible SSL VPN interface.
Further investigation by Bishop Fox researchers revealed that out of the initially identified 489,337 devices, a significant number were not actually vulnerable to the specific CVE-2023-27997 (Xortigate) security issue. Upon closer analysis, it was determined that 153,414 of the discovered appliances had been successfully updated to a secure version of FortiOS, mitigating the vulnerability.
However, the research also unveiled a concerning fact: approximately 335,900 FortiGate firewalls, accessible over the internet remain susceptible to attacks. This number exceeds the previous estimation of 250,000 devices based on less precise queries, highlighting the magnitude of the issue.
Furthermore, the researchers found that many of the exposed FortiGate devices had not received any updates for the past eight years. Some of these devices were still running FortiOS 6, which reached its end of support on September 29, 2022.
The lack of updates leaves these devices vulnerable to several critical-severity flaws, some of which have publicly available proof-of-concept exploit code, further exacerbating the potential risks they face.
Remediation
Ensure FortiGate firewall devices have the latest security updates.
Firewall rules and regulations should be set in a stricter sense to prevent users on the network from browsing and downloading risky content until this issue has been resolved by Fortinet.
Install reputable malware software from a trusted source such as Kaspersky and run scheduled scans on all devices to keep them malware free.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: 300000+ Fortinet Firewalls vulnerable to critical FortiOS RCE bug.pdf
References
Toulas, B. (2023, July 03). 300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug. Bleeping Computer. Retrieved from:
https://www.bleepingcomputer.com/news/security/300-000-plus-fortinet-firewalls-vulnerable-to-critical-fortios-rce-bug/
Brooks, R. (2019, June 12). How to Prevent Malware Attacks: 10 Security TIPS. Netwrix. Retrieved from:
https://blog.netwrix.com/2020/06/12/malware-prevention/