About 69% of FortiGate firewalls affected by the recently discovered FortiOS vulnerability remain unpatched, according to Bishop Fox security researchers.
This flaw (CVE-2023-27997) could lead to remote code execution (RCE). Patched by Fortinet in mid-June.
For more information about this vulnerability, see Fortinet Addresses Critical Vulnerability in FortiGate SSL-VPN.
In a recently published advisory, Bishop Fox’s feature development team stated that they had successfully developed an exploit for this vulnerability.
“Our exploit corrupts the heap, connects back to an attacker-controlled server, downloads a BusyBox binary, and opens an interactive shell,” explained feature development director Caleb Gross.
The entire process reportedly took about a second, significantly faster than the previous demonstration provided by Lexfo.
Gross added that a search on Shodan, a search engine for internet-connected devices, found that about 490,000 SSL VPN interfaces exposed to the internet were affected by the vulnerability. I was.
“This FortiOS Heap Overflow Vulnerability is rated Critical and requires firmware updates,” commented Timothy Morris, Tanium Chief Security Advisor.
“That’s a good reason to patch. But the exploit code is there and the fact that these security appliances are usually on the perimeter should be addressed immediately.”
According to Bishop Fox, a previous report that estimated 250,000 exposed FortiGate firewalls based solely on SSL certificates may not accurately reflect the actual number of vulnerable devices. It is important to note that
This is likely because the search queries used in these reports did not specifically target the SSL VPN interface where this vulnerability exists.
To pinpoint vulnerable devices, Gross says, a more effective approach would be to search for servers returning specific HTTP response headers and further filter the results based on which devices redirect to a specific path. said Mr.
A detailed analysis reveals that there are only 153,414 patched devices on the internet, and approximately 69% of devices are unpatched.
Bishop Fox’s analysis also revealed the distribution of different major operating system versions. While a significant number of installations are running the latest version of FortiOS 7, there are still devices running older versions, especially version 5, which is no longer supported.
” […] The findings highlight that appliances and embedded devices carry the same security risks as traditional computing devices, but are more difficult to upgrade. ‘, commented Jon Vanbeneck, chief threat hunter at Netenrich.
“Until manufacturers make it easy and automatic patching becomes just the default, we will continue to see this kind of pattern.”
Bishop Fox called on all FortiGate firewall users to follow Fortinet’s recommendations and patch their devices immediately.
