Hundreds of thousands of FortiGate firewalls are yet to be patched against a flaw being actively used in the wild, experts have revealed.
Cybersecurity researchers from Bishop Fox recently used the Shodan.io search engine for internet-connected devices to look for servers with HTTPS responses that suggested the software was outdated.
The results brought back almost 490,000 Fortinet SSL-VPN internet-exposed interfaces, with roughly two-thirds (338,100 endpoints) being unpatched.
Multiple secure versions
These firewalls are said to be vulnerable to CVE-2023-27997, a heap-based buffer overflow vulnerability with a 9.8 severity score. The flaw affects FortiOS and FortiProxy devices with SSL-VPN enabled. Last night, Fortinet issued a patch, and said that the vulnerable endpoints “may have been exploited in a limited number of cases.”
If you are yet to patch your firewalls, make sure to bring them up to versions 7.2.5, 7.0.12, 6.4.13, or 6.2.15, as all of these are said to have addressed the issue.
Besides urging users to apply the fix, Bishop Fox has also developed a proof of concept (PoC), an exploit abusing the flaw to achieve remote code execution. Through the exploit, the researchers managed to take over the affected network gear. The researchers also found a “handful of devices” running a version of the operating system that’s eight years old.
“I wouldn’t touch those with a 10-foot pole,” commented Caleb Gross, director of capability development at Bishop Fox.
Gross added that their exploit “smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary, and opens an interactive shell.”
The vulnerability was first discovered in early June and reported to Fortinet, which released the patch on June 8, and a detailed breakdown of the exploit process a week later, on June 13, The Register reports.
Via: The Register