Security researchers at Bishop Fox LLC issued a warning
Friday that hundreds of thousands of Fortinet Inc. firewalls are still
vulnerable to attack because they have not been patched following the
disclosure of a critical vulnerability in June. The vulnerability is a remote
code execution with a severity score of 9.8 out of 10 resulting from a
heap-based buffer overflow issue in FortiOS, the operating system that connects
all Fortinet network components to be integrated in the vendor's Security
Fabric platform and which is designated as CVE-2023-27997, is a "heap
overflow" issue found in FortiOS, the operating system that powers
FortiGate firewalls. This affects the secure system socket layer virtual
private network interface.
Offensive security solutions company Bishop Fox reported on
Friday that despite calls for patching, more than 300,000 FortiGate firewall
devices are still vulnerable to attacks and can be reached via the public
internet, although Fortinet has released patches, about 69% are still
unpatched, making them vulnerable to potential exploits. Bishop Fox researchers
used the Shodan search engine to find devices that responded in a way that
indicated an open SSL VPN interface. They achieved this by looking for devices
that returned specific HTTP response headers. To prove the risk posed by this
vulnerability, the Bishop Fox Capability Development team developed an exploit
that involves remotely executing code that compromises the target system,
allowing it to reconnect to a server controlled by the attacker. Once the
connection is established, the exploit downloads the binary and opens an
interactive shell on the target device.
The query above shows 489,337 devices but not all of them
are vulnerable to CVE-2023-27997, also referred to as Xortigate. Investigating
further, the researchers found that 153,414 devices found had been updated to a
secure FortiOS version. This means that around 335,900 FortiGate firewalls
reachable via the web are vulnerable to attack, a number much higher than the
250,000 recently estimated based on other less accurate queries. The
researchers concluded by advising all users of Fortinet FortiGate firewalls to
install the patch as soon as possible.
CVE-2023-27997, heapoverflow in FortiOS OS behind FortiGate firewalls that allows RCE. 490,000 affected SSL VPN interfaces are exposed online.
— Cyber Advising (@cyber_advising) July 1, 2023
PoChttps://t.co/V6ObaPXyZa pic.twitter.com/nFy9sjiCRy
Bishop Fox researchers found that many of the exposed
FortiGate devices had not received updates for the past eight years, some of
them running FortiOS 6, which reached the end of support last year on September
29. These devices are vulnerable to several critical severity flaws that have
publicly available proof-of-concept exploit code. To demonstrate that
CVE-2023-27997 can be used to remotely execute code on vulnerable devices,
Bishop Fox created an exploit that allows "destroying the heap,
reconnecting to an attacker-controlled server, downloading the BusyBox binary,
and opening an interactive shell."
This is an untrusted data deserialization that can lead to
remote code execution (RCE) without authentication. The products affected by
this flaw are:
- FortiNAC 8.6, all versions
- FortiNAC 8.5, all versions
- FortiNAC 8.3, all versions
- FortiNAC versions 7.2.0 to 7.2.1
- FortiNAC 8.8, all versions
- FortiNAC 8.7, all versions
- FortiNAC version 9.4.0 to 9.4.2
- FortiNAC version 9.2.0 to 9.2.7
- FortiNAC version 9.1.0 to 9.1.9
The recommended versions to be upgraded to overcome the risks arising from vulnerabilities are:
- FortiNAC 9.1.10 or higher
- FortiNAC 7.2.2 or higher
- FortiNAC 9.4.3 or later
- FortiNAC 9.2.8 or higher
The vendor does not provide mitigation advice, so the recommended action is to apply any available security updates. CVE-2023-33299 was discovered by Florian Hauser of the Code White company that provides red teaming, penetration testing and threat intelligence services. Alongside the critical RCE, Fortinet also announced today that it has fixed a medium severity vulnerability tracked as CVE-2023-33300 - an improper access control issue affecting FortiNAC 9.4.0 to 9.4.3 and FortiNAC 7.2.0 to 7.2.1. The lower severity is given by the fact that CVE-2023-33300 can be exploited locally by an attacker with high enough privileges to access the copied data.
0 Comments