A recent report reveals a critical flaw in Fortinet firewalls, leaving over 490,000 devices at risk of exploitation. This article explores the vulnerability, its impact, and the necessary actions organizations should take to protect their systems.
Vulnerability and Exploitation
A heap-based buffer overflow vulnerability (CWE-122) in FortiOS and FortiProxy SSL-VPN has been identified (CVE-2023-27997). This flaw allows remote attackers to execute arbitrary code or commands through specially crafted requests. Although it has been exploited in a limited number of attacks, the severity of the vulnerability demands immediate attention.
Impacted Sectors and Vendor Response
The affected vulnerability has primarily targeted government, manufacturing, and critical infrastructure sectors.
Fortinet acknowledges that the vulnerability (FG-IR-23-097) may have been exploited in a few cases. Consequently, they strongly advise customers with SSL-VPN enabled to upgrade their firmware promptly. Even for those not using SSL-VPN, upgrading is still recommended for enhanced security.
Researchers’ Findings and Alarming Statistics
Researchers from Lexfo Security and Bishop Fox discovered alarming statistics related to the vulnerability.
Lexfo Security’s Charles Fol and Dany Bach reported the flaw, describing it as a reachable pre-authentication impacting all SSL VPN appliances. Bishop Fox’s Capability Development team built an exploit for the vulnerability, finding approximately 490,000 exposed SSL VPN interfaces on the internet. Shockingly, around 69% of these devices remain unpatched, leaving them highly vulnerable.
Shodan Query and Unpatched Instances
Bishop Fox’s researchers conducted a Shodan query to identify vulnerable instances. They specifically searched for servers returning the HTTP response header “Server: xxxxxxxx-xxxxx,” filtering down to those redirecting to “/remote/login,” which exposes the SSL VPN interface. The query returned approximately 490,000 instances, revealing that only 153,414 devices were patched, leaving a significant 69% unpatched.
Outdated FortiOS Versions and Security Risks
Analysis of the Last-Modified header values by Bishop Fox’s researchers exposed numerous outdated FortiOS versions, with some devices running software that is eight years old. These devices harbor critical vulnerabilities that have been addressed over the years by Fortinet, with proof-of-concept exploit codes publicly available. This highlights the urgent need for firmware upgrades and demonstrates the potential security risks associated with outdated software versions.
Urgent Action and Recommendations
In light of the critical vulnerability, experts strongly advise organizations using FortiGate firewalls or any other system powered by FortiOS to follow Fortinet’s advisory and upgrade their firmware immediately. Proactive measures are necessary to safeguard systems, prevent potential exploits, and mitigate risks.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.