Critical Vulnerability in Fortinet Firewalls Exposes Hundreds of Thousands of Devices: Patch Urgently Required

Critical Vulnerability in Fortinet Firewalls Exposes Hundreds of Thousands of Devices: Patch Urgently Required

Security researchers at Bishop Fox LLC issued a warning Friday that hundreds of thousands of Fortinet Inc. firewalls are still vulnerable to attack because they have not been patched following the disclosure of a critical vulnerability in June. The vulnerability is a remote code execution with a severity score of 9.8 out of 10 resulting from a heap-based buffer overflow issue in FortiOS, the operating system that connects all Fortinet network components to be integrated in the vendor's Security Fabric platform and which is designated as CVE-2023-27997, is a "heap overflow" issue found in FortiOS, the operating system that powers FortiGate firewalls. This affects the secure system socket layer virtual private network interface.

Offensive security solutions company Bishop Fox reported on Friday that despite calls for patching, more than 300,000 FortiGate firewall devices are still vulnerable to attacks and can be reached via the public internet, although Fortinet has released patches, about 69% are still unpatched, making them vulnerable to potential exploits. Bishop Fox researchers used the Shodan search engine to find devices that responded in a way that indicated an open SSL VPN interface. They achieved this by looking for devices that returned specific HTTP response headers. To prove the risk posed by this vulnerability, the Bishop Fox Capability Development team developed an exploit that involves remotely executing code that compromises the target system, allowing it to reconnect to a server controlled by the attacker. Once the connection is established, the exploit downloads the binary and opens an interactive shell on the target device.

The query above shows 489,337 devices but not all of them are vulnerable to CVE-2023-27997, also referred to as Xortigate. Investigating further, the researchers found that 153,414 devices found had been updated to a secure FortiOS version. This means that around 335,900 FortiGate firewalls reachable via the web are vulnerable to attack, a number much higher than the 250,000 recently estimated based on other less accurate queries. The researchers concluded by advising all users of Fortinet FortiGate firewalls to install the patch as soon as possible.

Bishop Fox researchers found that many of the exposed FortiGate devices had not received updates for the past eight years, some of them running FortiOS 6, which reached the end of support last year on September 29. These devices are vulnerable to several critical severity flaws that have publicly available proof-of-concept exploit code. To demonstrate that CVE-2023-27997 can be used to remotely execute code on vulnerable devices, Bishop Fox created an exploit that allows "destroying the heap, reconnecting to an attacker-controlled server, downloading the BusyBox binary, and opening an interactive shell."

This is an untrusted data deserialization that can lead to remote code execution (RCE) without authentication. The products affected by this flaw are:

  • FortiNAC 8.6, all versions
  • FortiNAC 8.5, all versions
  • FortiNAC 8.3, all versions
  • FortiNAC versions 7.2.0 to 7.2.1
  • FortiNAC 8.8, all versions
  • FortiNAC 8.7, all versions
  • FortiNAC version 9.4.0 to 9.4.2
  • FortiNAC version 9.2.0 to 9.2.7
  • FortiNAC version 9.1.0 to 9.1.9

The recommended versions to be upgraded to overcome the risks arising from vulnerabilities are:

  • FortiNAC 9.1.10 or higher
  • FortiNAC 7.2.2 or higher
  • FortiNAC 9.4.3 or later
  • FortiNAC 9.2.8 or higher

The vendor does not provide mitigation advice, so the recommended action is to apply any available security updates. CVE-2023-33299 was discovered by Florian Hauser of the Code White company that provides red teaming, penetration testing and threat intelligence services. Alongside the critical RCE, Fortinet also announced today that it has fixed a medium severity vulnerability tracked as CVE-2023-33300 - an improper access control issue affecting FortiNAC 9.4.0 to 9.4.3 and FortiNAC 7.2.0 to 7.2.1. The lower severity is given by the fact that CVE-2023-33300 can be exploited locally by an attacker with high enough privileges to access the copied data.