A critical security vulnerability, CVE-2023-27997, is currently affecting more than 300,000 FortiGate firewalls. This vulnerability, which has a severity score of 9.8 out of 10, was identified almost a month after Fortinet released an update to fix the issue. It is a remote code execution bug that arises from a heap-based buffer overflow problem in FortiOS, the operating system that integrates all Fortinet networking components into the vendor's Security Fabric platform.
The vulnerability is exploitable and allows an unauthenticated attacker to remotely execute code on devices that have the SSL VPN interface exposed on the web. Fortinet had warned in a mid-June advisory that this vulnerability may have already been exploited in attacks. In an effort to address this issue, Fortinet released updated FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 on June 11 before making the vulnerability public.
Despite the release of the patches, Bishop Fox, an offensive security solutions company, reported that more than 300,000 FortiGate firewall appliances are still vulnerable to attacks and can be accessed over the public internet. The researchers at Bishop Fox used the Shodan search engine to identify devices that indicated an exposed SSL VPN interface. They did this by searching for appliances that returned a specific HTTP response header and filtered the results to those that redirected to '/remote/login,' a clear sign of an exposed SSL VPN interface.
The researchers found 489,337 devices in their search, but not all were vulnerable to CVE-2023-27997, also known as Xortigate. Upon further investigation, they discovered that 153,414 of the found appliances had been updated to a safe FortiOS version. This implies that approximately 335,900 FortiGate firewalls, reachable over the web, are still vulnerable to attacks. This number is notably higher than the recent estimate of 250,000 based on less accurate queries.
Bishop Fox researchers also found that many of the exposed FortiGate devices had not been updated for the past eight years, with some still running FortiOS 6, which reached its end of support last year on September 29. These devices are vulnerable to several critical-severity flaws, with proof-of-concept exploit code publicly available. To demonstrate the potential of CVE-2023-27997 to execute code remotely on vulnerable devices, Bishop Fox created an exploit that 'smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary, and opens an interactive shell.' The exploit is significantly faster than the demo video shown by Lexfo, running in approximately one second.