The delay in applying patches for the FortiGate firewall’s remote code execution (RCE) vulnerability, CVE-2023-27997, which was announced on June 12, 2023, has reached a critical stage.
CVE-2023-27997 is a heap-based buffer overflow vulnerability affecting SSL-VPN enabled devices. This RCE vulnerability enables the remote execution of code through an SSL-VPN interface exposed on the web. With a severity index rated at 9.8 out of 10, this vulnerability poses a significant threat.
According to a BleepingComputer article, as of July 3, over 300,000 Fortinet firewalls were discovered to be vulnerable and unpatched. Despite the prompt release of a security patch upon vulnerability disclosure, there is a delay in user patching. One month later, the question remains: What is the current state? This article explores the number of vulnerable Fortinet firewalls that remain exposed to threats nearly two months after the patch’s release.
Detecting Internet-Exposed FortiGate SSL VPN Interfaces
Referring to an article on identifying devices vulnerable to CVE-2023-27997, we utilized Criminal IP Asset Search to perform specific queries.
The following Criminal IP query was employed to identify vulnerable FortiGate SSL VPN interfaces exposed to the internet:
Search query: “xxxxxxxx-xxxxx” “top.location=/remote/login”
*The “” operator used in this query helps you find servers precisely matching the searched query within the banner script.
Surprisingly, 476,326 FortiGate SSL VPN interfaces were found to be accessible from the internet.
Some of these servers are installed after the patch, and not all servers are vulnerable to the CVE-2023-27997 RCE vulnerability. However, we can see that a large number of FortiGates are still vulnerable due to delayed patching.
FortiGate Vulnerable to CVE-2023-27997 RCE Attack
Among the 470,000 exposed FortiGate SSL-VPN interfaces, our investigation focused on devices capable of exploiting the CVE-2023-27997 vulnerability.
The ‘cve_id’ filter within Criminal IP Asset Search facilitated this search:
Search query: cve_id: CVE-2023-27997
* The cve_id filter used in this query can find the IP address containing the searched CVE vulnerability.
The search results identified 4,677 servers susceptible to the CVE-2023-27997 vulnerability.
These servers, running FortiGate, are vulnerable to attacks utilizing a known exploit. Moreover, the banner information of these IP addresses exposes the Fortinet version and serial number, amplifying the risk of potential exploit attacks.
Of course, many more devices could be vulnerable besides these 4,677 vulnerable FortiGate devices.
In particular, as this FortiGate RCE vulnerability can lead to attacks not only on vulnerable devices but also on other internal servers, a prompt security patch is essential.
Worldwide Statistics of Devices Exposed to FortiGate RCE Vulnerability
An analysis of countries with servers vulnerable to the CVE-2023-27997 FortiGate RCE vulnerability revealed its global impact.
A total of 151 countries have Fortinet devices exposed to the vulnerability. The United States leads the list, with 590 cases, accounting for approximately 12.6% of the total. Over 200 cases have been identified in countries such as the United Arab Emirates, India, and Taiwan.
Recommendations for Patching CVE-2023-27997, FortiGate RCE Vulnerability
The fact that a significant number of devices remain vulnerable, even three months after Fortinet’s vulnerability disclosure and patch release, underscores the seriousness of the patch delay.
While a disclosed vulnerability initially garners attention, it often becomes overshadowed by other concerns over time.
Nevertheless, it’s essential not to overlook the crucial point that attackers frequently exploit opportunities to target vulnerabilities that persist for months or even years due to lax management as interest wanes.
Fortinet issued the following advisory for the CVE-2023-27997 RCE vulnerability.
Deactivate SSL-VPN or perform an upgrade following the instructions below:
Upgrade to FortiOS-6K7K version 7.0.12 or higher.
Upgrade to FortiOS-6K7K version 6.4.13 or higher.
Upgrade to FortiOS-6K7K version 6.2.15 or higher.
Upgrade to FortiOS-6K7K version 6.0.17 or higher.
Upgrade to FortiProxy version 7.2.4 or higher.
Upgrade to FortiProxy version 7.0.10 or higher.
Upgrade to FortiProxy version 2.0.13 or higher.
Upgrade to FortiOS version 7.4.0 or higher.
Upgrade to FortiOS version 7.2.5 or higher.
Upgrade to FortiOS version 7.0.12 or higher.
Upgrade to FortiOS version 6.4.13 or higher.
Upgrade to FortiOS version 6.2.14 or higher.
Upgrade to FortiOS version 6.0.17 or higher.
Details of the advisory can be found in Fortinet’s PSIRT Blog Post. In addition to monitoring security advisories and the immediate patching of systems, Fortinet strongly recommends the following:
- Review systems for evidence of past vulnerability exploits, such as FG-IR-22-377 / CVE-2022-40684.
- Maintain robust cyber hygiene and adhere to vendor patching recommendations.
- Implement hardening recommendations (e.g. FortiOS 7.2.0 Hardening Guide).
- Minimize the attack surface by disabling unused features and managing devices via an out-of-band method wherever possible.
Check out our article that discusses the Fortinet Authentication Vulnerability CVE-2022-40684.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine.
Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.
Source: Criminal IP (https://www.criminalip.io/en)