Fortigate Firewalls Under Threat: A Deep Dive into Vulnerability CVE-2023-27997

Reading Time: ( Word Count: )

July 8, 2023
Nextdoorsec-course

New findings suggest that Fortigate firewalls are at risk from remote code execution (RCE) attacks. A staggering 490,000 SSL VPN interfaces linked to these firewalls are accessible online, with approximately 69% still awaiting updates.

The security firm Bishop Fox created a proprietary exploit for CVE-2023-27997, a heap overflow in FortiOS—the operating system powering FortiGate firewalls. This particular vulnerability allows remote code execution.

CVE-2023-27997 causes a heap-based buffer leak in FortiGate’s SSL VPN module. Demonstrations have shown that attackers can exploit this weakness for pre-authentication remote code execution.

In order to address the disclosed risk, Fortinet has released updates and suggested an alternative solution. With the use of this misuse, users can alter the heap, establish a connection to a site under their control, get the BusyBox binary, and launch a virtual shell. 

The steps to achieve this exploit closely resemble the procedure outlined in a blog post by Lexfo. It is possible for someone to execute these steps in about one second.

The following Shodan CLI search shows approximately 490,000 unsecured SSL VPN ports connected to The Fortigate Firewall.

Fortigate Firewalls Under Threat

Also Read: “Google Tackles 46 Vulnerabilities with Monthly Android Security Update”

In the past two months, Shodan has identified 335,923 devices that still need to patch the Last-Modified HTTP response header.

In the query below, we assumed that half of the devices installed in May had been patched. This assumption considers the presence of overlapping versions during that period. Additionally, all installations from June are assumed to be patched.

Fortigate Firewalls Under Threat

Based on these results, only 153,414 devices have received patches, leaving a worrying 69% (or 335,923 of 489,337) of devices unpatched.

The investigative team’s deeper examination revealed numerous installations of version 7 (released in early 2021) and a large number of version 6, which is gradually nearing the end of its lifecycle.

Noor Khan

Noor Khan

Author

My name is Noor, and I am a seasoned entrepreneur focused on the area of artificial intelligence. As a robotics and cyber security researcher, I love to share my knowledge with the community around me.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *