Researchers Develop Exploit Code for Critical Fortinet VPN Bug

  /     /     /  
Publicated : 23/11/2024   Category : security


Researchers Develop Exploit Code for Critical Fortinet VPN Bug


Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.



Researchers have written exploit code for a critical remote code execution (RCE) vulnerability in Fortinets FortiGate SSL VPNs that the vendor disclosed and patched in June 2023.
Bishop Foxs research team, which developed the exploit, has estimated there are some 340,000 affected FortiGate devices that are currently unpatched against the flaw and remain open to attack. That number is significantly higher than the 250,000 FortiGate devices that several researchers estimated were vulnerable to exploit when Fortinet
first disclosed
the flaw on June 12.
There are 490,000 affected [FortiGate] SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched, Bishop Foxs director of capability development, Caleb Gross, wrote in a blog post on June 30. You should patch yours now.
The heap-based buffer overflow vulnerability, tracked as CVE-2023-27997, affects multiple versions of FortiOS and FortiProxy SSL-VPN software. It gives an unauthenticated, remote attacker a way to execute arbitrary code on an affected device and take complete control of it. Researchers from French cybersecurity firm Lexfo who discovered the flaw assessed it as
affecting every single SSL VPN
appliance running FortiOS.
Bishop Fox has not released its exploit code publicly. But its blog post has a GIF of it in use. Gross described the exploit that
Bishop Fox has developed
as giving attackers a way to open an interactive shell they could use to communicate with an affected FortiGate appliance.
This exploit very closely follows the steps detailed in the original blog post by Lexfo, though we had to take a few extra steps that were not mentioned in that post, Gross wrote. The exploit runs in approximately one second, which is significantly faster than the demo video on a 64-bit device shown by Lexfo.
Fortinet issued firmware updates
that addressed the issue on June 12. At the time, the company said the flaw affected organizations in government, manufacturing and other critical infrastructure sectors. Fortinet said it was aware of an attacker exploiting the vulnerability in a limited number of cases.
Fortinet cautioned about the potential for threat actors like those behind the Volt Typhoon cyber-espionage campaign to abuse CVE-2023-27997. Volt Typhoon is a China-based group that is believed to have established persistent access on networks belonging to US telecom companies and other critical infrastructure organizations, for stealing sensitive data and carrying out other malicious actions. The campaign so far has primarily used another, older Fortinet flaw (
CVE-2022-40684
) for initial access. But organizations should not discount the possibility of Volt Typhoon — and other threat actors — using CVE-2023-27997 either, Fortinet warned.
CVE-2023-27997 is one of numerous critical Fortinet vulnerabilities that have been exposed. Like that of almost every other firewall and VPN vendor, Fortinets appliances are a popular target for adversaries because of the access they provide to enterprise networks.
The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others have issued multiple advisories in recent years about the need for organizations to promptly address vulnerabilities in these and other network devices because of the high attacker interest in them.
In June 2022, for instance,
CISA warned of China-sponsored threat actors
actively targeting unpatched vulnerabilities in network devices from a wide range of vendors. The advisory included a list of the most common of these vulnerabilities. The list included vulnerabilities in products from Fortinet, Cisco, Citrix, Netgear, Pulse, QNAP, and Zyxel.
Systems administrators should patch as quickly as possible, even though patching firmware can be a bit more cumbersome when dealing with appliances that run application gateways, says Timothy Morris, chief security adviser at Tanium. Often, appliances such as those from Fortinet face the perimeter and have very high-availability requirements, meaning they have tight windows for change.
For most organizations, a certain amount of downtime is probably inevitable, Morris says. Vulnerabilities such as CVE-2023-27997 require the full firmware image to be reloaded, so there is a certain amount of time and risk involved, he adds. Configurations have to be backed up and restored to make sure they are working as expected.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researchers Develop Exploit Code for Critical Fortinet VPN Bug