Hundreds of Thousands of FortiGate Firewalls Still Vulnerable to CVE-2023-27997
Hundreds of thousands of FortiGate firewalls are still vulnerable to the critical issue CVE-2023-27997, despite the fact that Fortinet developers released an update a month ago that fixes this bug. Vulnerability CVE-2023-27997 allows remote code execution and received a rating of 9.8 points out of 10 on the CVSS scale. The bug occurs due to a heap buffer overflow in the FortiOS operating system, which integrates all Fortinet network solutions for their integration into the Security Fabric platform.
In mid-June of this year, the manufacturer warned that this problem could be used in hacker attacks. The vulnerability was fixed on June 11, 2023, and before reporting it publicly, the developers released FortiOS 6.0.17, 6.2.15, 6.4.13, 7.0.12 and 7.2.5 updates.
335,900 FortiGate Firewalls Still Vulnerable to Attack
More than 300,000 FortiGate firewalls are still vulnerable to attack and accessible over the Internet, according to researchers at Bishop Fox now. To collect these statistics, the researchers used Shodan to find devices with an insecure SSL VPN interface. They filtered the results to find redirects to /remote/login, which is a sure sign of an open SSL VPN interface.
As a result, the request helped to find 489,337 devices, although not all of them were vulnerable to CVE-2023-27997. So, in the course of further analysis, the researchers found that 153,414 devices had received updates to new versions of FortiOS. This means that about 335,900 FortiGate firewalls available over the Internet are still vulnerable to attacks on CVE-2023-2799.
Unfortunately, this far exceeds the estimate of 250,000 vulnerable devices previously given by information security experts. Worse, Bishop Fox found that many FortiGate devices available on the network did not receive any updates at all. Some of them are still running FortiOS 6, support for which ended last year. As a result, such devices are vulnerable to several critical bugs at once, for which PoC exploits have long been available.
The researchers also attached to their report a demonstration of the PoC exploit for CVE-2023-27997, emphasizing that the vulnerability can be used to remotely execute code on vulnerable devices. This exploit, designed to check the devices of Bishop Fox clients, can be seen below.
Organizations that use FortiGate firewalls should make sure that their devices are updated to the latest version of FortiOS. This will ensure that their network is protected from the CVE-2023-27997 vulnerability and other critical bugs.