Approximately 69% of FortiGate firewalls affected by a recently discovered FortiOS vulnerability remain unpatched, according to security researchers at Bishop Fox.
The flaw (CVE-2023-27997) could lead to remote code execution (RCE). It was patched by Fortinet in mid-June.
Read more about this vulnerability: Fortinet Addresses Critical FortiGate SSL-VPN Vulnerability
In a recently published advisory, Bishop Fox’s Capability Development team said they have successfully developed an exploit for the vulnerability.
“Our exploit smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary, and opens an interactive shell,” explained Caleb Gross, director of Capability Development.
The entire process reportedly takes approximately one second, significantly faster than an earlier demonstration provided by Lexfo.
Gross added that a search on Shodan, a search engine for internet-connected devices, revealed that nearly 490,000 SSL VPN interfaces exposed on the internet are affected by this vulnerability.
“This FortiOS heap overflow vulnerability is rated as critical and requires a firmware update,” commented Timothy Morris, chief security advisor at Tanium.
“That is reason enough to patch; however, the fact that exploit code exists and that these security appliances are typically on the perimeter requires immediate attention.”
It is important to note that previous reports estimating 250,000 exposed FortiGate firewalls based on SSL certificates alone may not accurately reflect the actual number of vulnerable devices, according to Bishop Fox.
This would be because the search query used in those reports did not specifically target SSL VPN interfaces, where this vulnerability resides.
To identify vulnerable devices accurately, Gross said a more effective approach involves searching for servers returning a specific HTTP response header, then further filtering the results based on devices redirecting to a particular path.
An in-depth analysis revealed that only 153,414 devices on the internet had been patched, leaving a concerning 69% of devices unpatched.
The Bishop Fox analysis also highlighted the distribution of different major operating system versions. While a significant number of installations run the latest version, FortiOS 7, there are still devices running older versions, particularly version 5, which has reached its end of life.
“The [...] findings highlight that the risk of appliances and embedded devices carry the same security risks as traditional computing devices but are a bigger pain to upgrade,” commented John Bambenek, principal threat hunter at Netenrich.
“Until manufacturers make it easy, and automatic patching is simply the default, we will continue to see these kinds of patterns.”
Bishop Fox urged all FortiGate firewall users to promptly follow Fortinet’s advisory and patch their devices.