Fortinet RCE vulnerability: CVE-2023-27997

Introduction to CVE-2023-27997

A critical security issue, CVE-2023-27997, was discovered in FortiGate firewalls, leaving hundreds of thousands of devices vulnerable. This critical vulnerability poses a remote code execution risk, with a severity score of 9.8 out of 10. The flaw resides in FortiOS, the operating system that connects various Fortinet networking components within the Security Fabric platform.

In collaboration with Dany Bach, Charles Fol, a security researcher from Lexfo, has discovered the vulnerability identified as CVE-2023-27997. This vulnerability enables remote code execution (RCE) and is accessible pre-authentication on all SSL VPN appliances. The researchers have indicated that they will provide additional information regarding this vulnerability at a later stage. Their future disclosure is expected to shed more light on the technical aspects and potential implications of CVE-2023-27997.

The problem stems from a heap-based buffer overflow [CWE-122], enabling unauthenticated attackers to execute arbitrary code on affected devices. This exploit occurs when the SSL VPN interface is exposed on the web. Fortinet issued a warning in mid-June, stating that there were indications of potential attacks exploiting this vulnerability.

According to a report over 300,000 FortiGate firewall appliances remain vulnerable to attacks and are accessible through the public internet, despite the calls for patching.

Identifying the Unpatched Devices

Bishop Fox researchers utilised the Shodan search engine to identify these vulnerable devices. By analysing the response headers from various appliances, they identified those that indicated an exposed SSL VPN interface. This specific HTTP response header was a vital indicator in their search for vulnerable appliances.

To identify potentially vulnerable FortiGate firewall appliances, a reliable approach is to search for servers returning the HTTP response header "Server: xxxxxxxx-xxxxx," which is a fingerprint for devices running FortiOS. Filtering the results to those that redirect to the "/remote/login" path can pinpoint devices with exposed SSL VPN interfaces, which allows for the targeted identification of at-risk appliances.

$ shodan count '"Server: xxxxxxxx-xxxxx" http.html: "top.location=/remote/login"'

Using the HTTP response header "Server: xxxxxxxx-xxxxx" instead of SSL certificates, the search revealed nearly 490,000 exposed SSL VPN interfaces—almost twice as many as the certificate-based search.

To identify potentially patched devices running Fortinet's FortiOS, an effective method is to search for software images released in May and June 2023. By examining the Last-Modified HTTP response header in the Shodan search, devices with these months indicated can be identified. Assuming that half of the devices with May-based installations are patched (accounting for overlapping versions) and all June-based installations are patched, this query helps identify potentially updated devices.

$ seq 01 31 |
parallel 'printf "2023-05-%02d\n2023-06-%02d\n" {} {}' |
parallel 'date -d {} "+Last-Modified: %a, %d %b %Y" 2>/dev/null' |
parallel --bar 'shodan count "\"Server: xxxxxxxx-xxxxx\" http.html:\"top.location=/remote/login\" \"{}\"" | tr "\n" " "; echo {}' |
awk '{if ($0 ~ /May/) {SUM += $1 / 2} else {SUM += $1}} END {print SUM}'

Affected versions

• FortiOS-6K7K version 7.0.10

• FortiOS-6K7K version 7.0.5

• FortiOS-6K7K version 6.4.12

• FortiOS-6K7K version 6.4.10

• FortiOS-6K7K version 6.4.8

• FortiOS-6K7K version 6.4.6

• FortiOS-6K7K version 6.4.2

• FortiOS-6K7K version 6.2.9 through 6.2.13

• FortiOS-6K7K version 6.2.6 through 6.2.7

• FortiOS-6K7K version 6.2.4

• FortiOS-6K7K version 6.0.12 through 6.0.16

• FortiOS-6K7K version 6.0.10

• FortiProxy version 7.2.0 through 7.2.3

• FortiProxy version 7.0.0 through 7.0.9

• FortiProxy version 2.0.0 through 2.0.12

• FortiProxy 1.2, all versions

• FortiProxy 1.1, all versions

• FortiOS version 7.2.0 through 7.2.4

• FortiOS version 7.0.0 through 7.0.11

• FortiOS version 6.4.0 through 6.4.12

• FortiOS version 6.2.0 through 6.2.13

• FortiOS version 6.0.0 through 6.0.16

• FortiSASE is no longer impacted, as the issue was remediated in Q2/23

Proof of Concept

Bishop Fox has successfully demonstrated the capabilities of CVE-2023-27997 by developing an exploit that enables remote code execution on vulnerable devices. This exploit involves smashing the heap, establishing a connection to an attacker-controlled server, downloading a BusyBox binary, and ultimately opening an interactive shell. This proof-of-concept exploit showcases the severity and potential impact of the vulnerability, emphasising the critical need for prompt patching and mitigation measures.

The Security Patch released for CVE-2023-27997

Unfortunately, enterprise defenders face the challenge of threat actors comparing newer and older versions of the FortiOS operating system to identify patch details and develop working exploits. Fortinet has been known to release critical fixes without explicitly mentioning the associated vulnerabilities, whether they are actively exploited or not. To mitigate risks, enterprise administrators should act swiftly and implement patches immediately.

Fortinet promptly addressed the issue by releasing firmware updates on June 11 and made the firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 generally available to patch the vulnerability. It is crucial for organisations using FortiGate firewalls to update their firmware to the latest recommended version to protect against potential attacks and ensure the security of their network infrastructure.

UPDATE (June 13, 2023, 08:20 a.m. ET):

Fortinet released a security advisory for CVE-2023-27997, a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN. Exploiting this vulnerability could allow remote attackers to execute arbitrary code through specially crafted requests.

In their blog post, Fortinet acknowledges that there have been limited instances of potential exploitation of this vulnerability, although further details are not provided.

Recommended patch versions

• Upgrade to FortiOS-6K7K version 7.0.12 or above

• Upgrade to FortiOS-6K7K version 6.4.13 or above

• Upgrade to FortiOS-6K7K version 6.2.15 or above

• Upgrade to FortiOS-6K7K version 6.0.17 or above

• Upgrade to FortiProxy version 7.2.4 or above

• Upgrade to FortiProxy version 7.0.10 or above

• Upgrade to FortiProxy version 2.0.13 or above

• Upgrade to FortiOS version 7.4.0 or above

• Upgrade to FortiOS version 7.2.5 or above

• Upgrade to FortiOS version 7.0.12 or above

• Upgrade to FortiOS version 6.4.13 or above

• Upgrade to FortiOS version 6.2.14 or above

• Upgrade to FortiOS version 6.0.17 or above
  

In summary, the discovery of CVE-2023-27997 underscores the urgency of prompt patching for FortiGate firewalls. The potential for remote code execution (RCE) and the prevalence of vulnerable devices demand immediate action. Organisations can enhance their defences and protect against potential exploits by prioritising timely patches.

References:

• https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable

• https://www.helpnetsecurity.com/2023/06/11/cve-2023-27997/

• https://www.bleepingcomputer.com/news/security/300-000-plus-fortinet-firewalls-vulnerable-to-critical-fortios-rce-bug/

• https://www.fortiguard.com/psirt/FG-IR-23-097

Register for instructor-led online courses today!

https://www.darkrelay.com/courses

Check out our free programs!

https://www.darkrelay.com/programs

Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.

Follow us on LinkedIn Twitter Facebook Instagram YouTube Pinterest.