The latest research shows Fortigate firewalls are vulnerable to remote code execution attempts.
490,000 affected SSL VPN interfaces are exposed on the internet, and roughly 69% are currently unpatched.
Bishop Fox internally developed an exploit for CVE-2023-27997, a heap overflow in FortiOS—the OS behind FortiGate firewalls—that allows remote code execution.
CVE-2023-27997 is a heap-based buffer overflow in FortiGate’s SSL VPN component, which has been demonstrated to be exploitable for pre-authentication RCE.
Fortinet released patches and a workaround to fix the vulnerability.
The exploit can smash the heap, connect back to an attacker-controlled server, download a BusyBox binary, and open an interactive shell.
This exploits very closely follows the steps detailed in the original blog post by Lexfo, which runs in approximately one second.
Below query on Shodan CLI returns nearly 490,000 exposed SSL VPN interfaces issued to Fortigate Firewall.
$ shodan count '"Server: xxxxxxxx-xxxxx" http.html: "top.location=/remote/login"'
489337
Below, a search on Shodan for the last two months in the Last-Modified HTTP response header can find devices that’ve been patched.
In the following query, we assume that half of the devices with May-based installations are patched (there are some overlapping versions in this timeframe), and all of the June-based installations are patched.
$ seq 01 31 |
parallel 'printf "2023-05-%02d\n2023-06-%02d\n" {} {}' |
parallel 'date -d {} "+Last-Modified: %a, %d %b %Y" 2>/dev/null' |
parallel --bar 'shodan count "\"Server: xxxxxxxx-xxxxx\" http.html:\"top.location=/remote/login\" \"{}\"" | tr "\n" " "; echo {}' |
awk '{if ($0 ~ /May/) {SUM += $1 / 2} else {SUM += $1}} END {print SUM}'
153414 According to the results, only 153,414 devices on the internet are patched, which leaves 335,923 / 489,337 = 69% unpatched.
Further analysis of the team has revealed that there are lots of version 7 (released in early 2021) and a ton of version 6, which is gradually reaching the end of its life.
“AI-based email security measures Protect your business From Email Threats!” – .
The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the path…
Cybercriminals are exploiting the recent critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake proof-of-concept…
A NonEuclid sophisticated C# Remote Access Trojan (RAT) designed for the.NET Framework 4.8 has been…
Fraudsters in the Middle East are exploiting a vulnerability in the government services portal. By…
Juniper Networks has disclosed a significant vulnerability affecting its Junos OS and Junos OS Evolved…
CrowdStrike, a leader in cybersecurity, uncovered a sophisticated phishing campaign that leverages its recruitment branding…