FortiOS RCE vulnerability discovered in over 250,000 firewalls

Target Industry

Indiscriminate, opportunistic attacks.

Overview

A heap-based overflow vulnerability allowing remote code execution (RCE) was discovered during an audit of the Secure Sockets Layer Virtual Private Network (SSL-VPN) module within FortiOS.

The vulnerability, currently tracked as CVE-2023-27997 with a severity score of 9.8, allows for the execution of malicious code through using tailored requests made to the module used by a firewall operating system to gain initial access to a network. Based on searching using the service Shodan, it was believed that over 250,000 public-facing firewalls are affected by this vulnerability and since this disclosure it is now estimated that over 340,000 FortiGate devices are currently at risk of exploitation.

No current evidence is available to prove the use of the vulnerability in any recent attacks but it is highly probable that it has been used by groups known for targeting public-facing firewalls. Currently, a proof-of-concept (POC) for exploiting the vulnerability has been developed by the research group Bishop Fox and has not been publicly published, but a short GIF is available showing execution of the code. Fortinet has since released a security patch addressing the issue and are urging users to update their systems to version 7.4.0 and above, or to disable or restrict access to the administrative interface for managing the firewall.

Impact

Through successful exploitation of the vulnerability, a threat actor would be able to bypass all authentication required by the firewall and access management pages used by administrators. This could be used as the initial access required for lateral movement for further exploitation in order to damage or steal sensitive organisational or customer data.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against known threats. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement significant damage.

Affected Products

FortiOS.

Containment, Mitigations & Remediations

As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Fortinet occupies a significant proportion of the networking-hardware market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for, Fortinet networking hardware products have emerged as a prime target for threat actors. Due to the fact that Fortinet products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities in these product types in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

Although no evidence has been found suggesting the vulnerability was exploited in an attack, the group known as Volt Typhoon are highly likely to use the exploit as they are known for exploiting vulnerable public-facing firewalls.

Mitre Methodologies

Initial Access

T1190 – Exploit Public-Facing Application

Further Information

300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug

Researchers Develop Exploit Code for Critical Fortinet VPN Bug