Researchers say that nearly 336,000 devices exposed to the Internet remain vulnerable to a critical vulnerability in firewalls sold by Fortinet because admins have yet to install patches the company released three weeks ago.
CVE-2023-27997 is a remote code execution in Fortigate VPNs, which are included in the company’s firewalls. The vulnerability, which stems from a heap overflow bug, has a severity rating of 9.8 out of 10. Fortinet released updates silently patching the flaw on June 8 and disclosed it four days later in an advisory that said it may have been exploited in targeted attacks. That same day, the US Cybersecurity and Infrastructure Security Administration added it to its catalog of known exploited vulnerabilities and gave federal agencies until Tuesday to patch it.
Despite the severity and the availability of a patch, admins have been slow to fix it, researchers said.
Security firm Bishop Fox on Friday, citing data retrieved from queries of the Shodan search engine, said that of 489,337 affected devices exposed on the internet, 335,923 of them—or 69 percent—remained unpatched. Bishop Fox said that some of the vulnerable machines appeared to be running Fortigate software that hadn’t been updated since 2015.
“Wow—looks like there’s a handful of devices running 8-year-old FortiOS on the Internet,” Caleb Gross, director of capability development at Bishop Fox, wrote in Friday’s post. “I wouldn’t touch those with a 10-foot pole.”
Gross reported that Bishop Fox has developed an exploit to test customer devices.
The screen capture above shows the proof-of-concept exploit corrupting the heap, a protected area of computer memory that’s reserved for running applications. The corruption injects malicious code that connects to an attacker-controlled server, downloads the BusyBox utility for Unix-like operating systems, and opens an interactive shell that allows commands to be remotely issued by the vulnerable machine. The exploit requires only about one second to complete. The speed is an improvement over a PoC Lexfo released on June 13.
In recent years, several Fortinet products have come under active exploitation. In February, hackers from multiple threat groups began exploiting a critical vulnerability in FortiNAC, a network access control solution that identifies and monitors devices connected to a network. One researcher said that the targeting of the vulnerability, tracked as CVE-2022-39952 led to the “massive installation of webshells” that gave hackers remote access to compromised systems.
Last December, an unknown threat actor exploited a different critical vulnerability in the FortiOS SSL-VPN to infect government and government-related organizations with advanced custom-made malware. Fortinet quietly fixed the vulnerability in late November but didn’t disclose it until after the in-the-wild attacks began. The company has yet to explain why or say what its policy is for disclosing vulnerabilities in its products.
And in 2021, a trio of vulnerabilities in Fortinet’s FortiOS VPN—two patched in 2019 and one a year later—were targeted by attackers attempting to access multiple government, commercial, and technology services.
So far, there are few details about the active exploits of CVE-2023-27997 that Fortinet said may be underway. Volt Typhoon, the tracking name for a Chinese-speaking threat group, has actively exploited CVE-2023-40684, a separate Fortigate vulnerability of similar high severity. Fortinet said in its June 12 disclosure that it would be in keeping with Volt Typhoon to pivot to exploiting CVE-2023-27997, which Fortinet tracks under the internal designation FG-IR-23-097.
“At this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign, however Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices,” Fortinet said at the time. For this reason, Fortinet urges immediate and ongoing mitigation through an aggressive patching campaign.”
Listing image by Getty Images