300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug

A critical security flaw, identified as CVE-2023-27997, has left hundreds of thousands of FortiGate firewalls vulnerable, despite Fortinet having released an update to resolve the issue nearly a month ago. This vulnerability poses a significant risk, with a severity score of 9.8 out of 10, and it stems from a heap-based buffer overflow problem within FortiOS, the operating system that unites various Fortinet networking components into the vendor’s Security Fabric platform.

CVE-2023-27997 is an exploitable vulnerability that enables unauthenticated attackers to execute code remotely on devices that have the SSL VPN interface exposed on the web. The vendor had issued a warning in mid-June, suggesting that the flaw may have already been used in attacks.

Fortinet took action to address this vulnerability on June 11, proactively releasing FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 before disclosing the issue to the public.

Bishop Fox, a company specializing in offensive security solutions, issued a report on Friday highlighting a concerning situation. Despite repeated calls for patching, more than 300,000 FortiGate firewall appliances remain susceptible to attacks and are accessible via the public internet.

To identify these vulnerable devices, Bishop Fox researchers utilized the Shodan search engine. They focused on devices that exhibited specific behaviors indicating an exposed SSL VPN interface, as determined by a distinct HTTP response header. Specifically, they honed in on devices that redirected to ‘/remote/login,’ a clear sign of an exposed SSL VPN interface.

The initial query returned a total of 489,337 devices. However, not all of them were vulnerable to CVE-2023-27997, also known as Xortigate. Upon further investigation, the researchers found that 153,414 of the discovered appliances had been updated to a secure FortiOS version. This implies that approximately 335,900 FortiGate firewalls accessible via the internet are still susceptible to attacks, a significantly higher figure compared to the earlier, less precise estimations of 250,000, as stated by Bishop Fox researchers.

Another concerning discovery made by Bishop Fox researchers was that many of the exposed FortiGate devices had not received updates for up to eight years. Some of these devices were still running FortiOS 6, which reached the end of support on September 29 of the previous year. These outdated devices are vulnerable to multiple critical-severity flaws for which proof-of-concept exploit code is publicly available.

To underscore the severity of the situation and demonstrate the potential consequences of CVE-2023-27997, Bishop Fox created an exploit. This exploit is designed to execute code remotely on vulnerable devices. It accomplishes this by “smashing the heap,” establishing a connection to an attacker-controlled server, downloading a BusyBox binary, and opening an interactive shell.

In their report, Bishop Fox noted, “This exploit very closely follows the steps detailed in the original blog post by Lexfo […] and runs in approximately one second, which is significantly faster than the demo video on a 64-bit device shown by Lexfo.” This highlights the urgency of addressing these vulnerabilities to safeguard FortiGate firewall appliances from potential attacks.