335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997

Researchers reported that there are 490,000 Fortinet firewalls exposing SSL VPN interfaces on the internet, and roughly 69% of them are still vulnerable to CVE-2023-27997.

In Mid-June Fortinet addressed a critical flaw, tracked as CVE-2023-27997 (CVSS score: 9.2), in FortiOS and FortiProxy that is likely exploited in a limited number of attacks.

“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory

The vulnerability is a heap-based buffer overflow issue and according to the vendor it may have been exploited in a limited number of attacks aimed at government, manufacturing, and critical infrastructure sectors.

“Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation.” states the report published by Fortinet. “For this reason, if the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release. If the customer is not operating SSL-VPN the risk of this issue is mitigated – however, Fortinet still recommends upgrading.”

A remote attacker can trigger the vulnerability to execute arbitrary code or commands by sending specifically crafted requests to vulnerable devices.

The vulnerability was reported to Fortinet by the researcher Charles Fol and Dany Bach (DDXhunter) from Lexfo Security. The researcher describes the issue as a reachable pre-authentication that impacts every SSL VPN appliance.

Researchers from the security firm Bishop Fox reported that there are 490,000 affected SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched.

Bishop Fox’s Capability Development team built an exploit for the vulnerability CVE-2023-27997.

The researchers created their own Shodan query to locate the vulnerable instance only, they searched for any servers returning the HTTP response header Server: xxxxxxxx-xxxxx—oddly and then filter down on those that redirect to /remote/login, the path that exposes the SSL VPN interface.

$ shodan count '"Server: xxxxxxxx-xxxxx" http.html:"top.location=/remote/login"'
489337

The query returns approximately 490,000 instances, a figure that is double the one obtained using a query that searches for the exposed SSL certificate.

“If only 153,414 devices on the internet are patched, that leaves 335,923 / 489,337 = 69% unpatched.” states the analysis published by Bishop Fox.

The analysis of the Last-Modified header values revealed that there are a lot of outliers in 2018 and earlier, the researchers noticed that there’s a handful of devices running 8-year-old FortiOS on the internet. These devices are multiple critical vulnerabilities that have been addressed by the company across the years and that have proof-of-concept exploit code publicly available.

Logarithmic view of FortiOS installations from April 2014 to June 2023

FortiOS installations of versions 5,6, and 7 from December 2015 to June 2023

“There’s lots of version 7 (released early 2021), and a ton of version 6 which is gradually reaching end of life.” continues the report.

Experts recommend organizations using FortiGate firewall, or anything else powered by FortiOS, to follow Fortinet’s advisory for this issue and upgrade their firmware immediately.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)