Tuesday, October 15, 2024
HomeCyber Security NewsOver 300,000+ Fortinet Firewalls are Vulnerable to a Critical RCE Flaw

Over 300,000+ Fortinet Firewalls are Vulnerable to a Critical RCE Flaw

Published on

Malware protection

The latest research shows Fortigate firewalls are vulnerable to remote code execution attempts.

490,000 affected SSL VPN interfaces are exposed on the internet, and roughly 69% are currently unpatched.

Bishop Fox internally developed an exploit for CVE-2023-27997, a heap overflow in FortiOS—the OS behind FortiGate firewalls—that allows remote code execution. 

- Advertisement - SIEM as a Service

CVE-2023-27997 is a heap-based buffer overflow in FortiGate’s SSL VPN component, which has been demonstrated to be exploitable for pre-authentication RCE.

Fortinet released patches and a workaround to fix the vulnerability.

Fortinet Firewall Exploit

Remote code execution via CVE-2023-27997 on FortiGate FGVM64 version 7.2.4
Remote code execution via CVE-2023-27997 on FortiGate FGVM64 version 7.2.4

The exploit can smash the heap, connect back to an attacker-controlled server, download a BusyBox binary, and open an interactive shell. 

This exploits very closely follows the steps detailed in the original blog post by Lexfo, which runs in approximately one second.

Below query on Shodan CLI returns nearly 490,000 exposed SSL VPN interfaces issued to Fortigate Firewall.

$ shodan count '"Server: xxxxxxxx-xxxxx" http.html: "top.location=/remote/login"'
489337

335,923 Unpatched Devices

Below, a search on Shodan for the last two months in the Last-Modified HTTP response header can find devices that’ve been patched.

In the following query, we assume that half of the devices with May-based installations are patched (there are some overlapping versions in this timeframe), and all of the June-based installations are patched.

$ seq 01 31 |
parallel 'printf "2023-05-%02d\n2023-06-%02d\n" {} {}' |
parallel 'date -d {} "+Last-Modified: %a, %d %b %Y" 2>/dev/null' |
parallel --bar 'shodan count "\"Server: xxxxxxxx-xxxxx\" http.html:\"top.location=/remote/login\" \"{}\"" | tr "\n" " "; echo {}' |
awk '{if ($0 ~ /May/) {SUM += $1 / 2} else {SUM += $1}} END {print SUM}'
153414

According to the results, only 153,414 devices on the internet are patched, which leaves 335,923 / 489,337 = 69% unpatched.

FortiOS installations of versions 5,6, and 7

Further analysis of the team has revealed that there are lots of version 7 (released in early 2021) and a ton of version 6, which is gradually reaching the end of its life.

“AI-based email security measures Protect your business From Email Threats!” – .

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...