Hundreds of thousands of FortiGate firewalls are still vulnerable to the critical RCE bug CVE-2023-27997, although Fortinet developers released an update a month ago that fixes this problem.
Fortinet no longer surprises with security bugs. For example, at the beginning of the year we talked about an exploit to a critical vulnerability in the company’s products, and a serious problem arose in the FortiGate firewalls last fall. And also information security specialists talked about the leak of Fortinet VPN accounts.
Vulnerability CVE-2023-27997 allows remote code execution and received a rating of 9.8 points out of 10 on the CVSS scale. The bug occurs due to a heap buffer overflow in the FortiOS operating system, which integrates all Fortinet network solutions for their integration into the Security Fabric platform.
In fact, the bug allows an unauthenticated attacker to remotely execute arbitrary code on a device with an SSL VPN interface accessible via the Internet. In mid-June of this year, the manufacturer warned that this problem could be used in hacker attacks.
The vulnerability was fixed on June 11, 2023, and before reporting it publicly, the developers released FortiOS 6.0.17, 6.2.15, 6.4.13, 7.0.12 and 7.2.5 updates.
More than 300,000 FortiGate firewalls are still vulnerable to attack and accessible over the Internet, according to researchers at Bishop Fox now.
To collect these statistics, the researchers used Shodan to find devices with an insecure SSL VPN interface. They filtered the results to find redirects to /remote/login, which is a sure sign of an open SSL VPN interface.
As a result, the request helped to find 489,337 devices, although not all of them were vulnerable to CVE-2023-27997. So, in the course of further analysis, the researchers found that 153,414 devices still received updates to new versions of FortiOS.
However, this means that about 335,900 FortiGate firewalls available over the Internet are still vulnerable to attacks on CVE-2023-2799. Unfortunately, this far exceeds the estimate of 250,000 vulnerable devices previously given by information security experts.
Worse, Bishop Fox found that many FortiGate devices available online have not received any updates at all for the past eight years.
Some of them are still running FortiOS 6, support for which ended last year. As a result, such devices are vulnerable to several critical bugs at once, for which PoC exploits have long been available.
The researchers also attached to their report a demonstration of the PoC exploit for CVE-2023-27997, emphasizing that the vulnerability can be used to remotely execute code on vulnerable devices. This exploit, designed to check the devices of Bishop Fox clients, can be seen below.
