failure to patch leaves 300,000 FortiGate firewalls at risk

Specialists of the information security company Bishop Fox report that over 300,000 firewalls FortiGate are critically vulnerable CVE-2023-27997 (CVSS: 9.8) although Fortinet A month ago, an update was released that eliminates this shortcoming.

Vulnerability of remote code execution (Remote Code Execution, RCE) arises from a heap buffer overflow issue in FortiOS, the operating system that connects all Fortinet networking components to integrate them into the Fortinet Security Fabric.

CVE-2023-27997 allows an unauthenticated attacker to remotely execute code on vulnerable devices with a SSL VPNopen on the Internet. Fortinet patched the vulnerability on June 11 before publicly disclosing it. releasing firmware versions FortiOS 6.0.17, 6.2.15, 6.4.13, 7.0.12 and 7.2.5.

According to Bishop Fox, despite calls for a fix, over 300,000 FortiGate firewalls are still vulnerable to attack and accessible over the Internet.

Bishop Fox researchers used a search engine Shodan to look for devices that responded in a way that indicated an insecure SSL VPN interface. This was achieved by looking for devices that returned a specific HTTP response header.

The experts filtered the results to those that redirected to “/remote/login”, which is a clear indication of the SSL VPN’s open interface. Thus, the researchers found about 335,900 FortiGate firewalls available over the Internet that are vulnerable to attack.

Shodan query used to find insecure devices

Bishop Fox also found that many of the open FortiGate devices have not received updates for the past 8 years, some of them running FortiOS 6, which ended support on September 29, 2022. These devices are vulnerable to several critical vulnerabilities that have a public Proof of Concept exploit code. PoC).

To demonstrate that CVE-2023-27997 can be used to remotely execute code on vulnerable devices, Bishop Fox created an exploit which allows you to break the heap, connect back to the attacker’s server, download the BusyBox binary, and open an interactive shell”

Bishop Fox researchers recommend that FortiGate users update their firmware to the latest version as soon as possible and disable the SSL VPN interface when not in use.

March 7, 2023 Fortinet released security updates to fix a critical vulnerability under the identifier CVE-2022-41328. It allowed attackers to remotely execute unauthorized code on a target system. The attacks were aimed at computers running outdated software and targeted primarily large government organizations around the world. The malicious operation resulted in damage to the operating system and loss of data.