More than two-thirds of Fortinet’s FortiGate firewalls remain at risk of exploits through a vulnerability the company disclosed on June 12, according to research Bishop Fox released Friday.
Researchers at Bishop Fox, an offensive security testing firm, identified 490,000 affected SSL VPN interfaces exposed to the internet and determined 69%, around 338,000, of those FortiGate firewalls are unpatched.
The heap-based overflow vulnerability, CVE-2023-27997, could allow a remote attacker to execute arbitrary code or commands, and has a CVSS score of 9.8 out of 10.
“Fortinet continues to monitor the situation and has been proactively communicating to customers, strongly urging them to immediately follow the guidance provided to mitigate the vulnerability using either the provided workarounds or by upgrading,” a Fortinet spokesperson said via email.
Fortinet encouraged customers to upgrade FortiOS or disable SLL VPN as a workaround. The company declined to answer questions about how many Fortinet firewalls have been compromised by exploits of the vulnerability to date, but said some firewalls “may have been exploited in a limited number of cases,” in a June 12 blog post.
Bishop Fox, as part of its research into the vulnerability, said it developed an exploit that “runs in approximately one second” and shared the code in its blog post.
“Our exploit smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary and opens an interactive shell,” Caleb Gross, director of capability development at Bishop Fox, said in the blog post.
Cybersecurity experts underscored the seriousness of the matter and potential for damaging exploits across FortiGate firewalls that are still running SLL VPN or haven’t been upgraded to a more recent version of FortiOS.
“Remote code execution on a security appliance is about as bad as it can get,” Andrew Barratt, VP of technology and enterprise accounts at cybersecurity advisory Coalfire, said via email.
“These devices are both the doors to the network, and a large volume of the devices still being vulnerable is probably due to an inability to take these firewalls offline and test the patch with the associated impact on the business,” Barratt said.
André van der Walt, director of threat intelligence at Ontinue, noted there’s been multiple FortiGate vulnerabilities this year, but CVE-2023-27997 is the most critical. If threat actors exploit the vulnerability to gain full control of FortiGate firewalls, it could result in data breaches, ransomware attacks and other serious consequences, van der Walt said via email.
“This serves as a timely reminder that organizations need to put in place robust vulnerability management measures that identifies, prioritizes and addresses urgent vulnerabilities like these,” van der Walt said. “Ultimately security systems also need to be actively maintained to a high level.”