Fortinet Bug: RUN — Don’t Walk — to Patch Critical RCE
Or just get it off the internet, stat.
Fortinet FortiOS security devices have yet another nasty bug. Is your shop one of the 300,000 that hasn’t yet patched CVE-2023-27997? It’s an unauthenticated remote access vulnerability that’s simple to exploit—about as bad as it gets.
But you need to pay to get the update. In today’s SB Blogwatch, we’re amazed, astounded and astonished.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: SPHEROIDS.
Xortigate Xceptional Xploits
What? Bill Toulas reports—“300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug”:
“Roughly 335,900”
The vulnerability [has] a severity score of 9.8 out of 10 resulting from a heap-based buffer overflow problem. [It] is exploitable and allows an unauthenticated attacker to execute code remotely.
…
In an advisory in mid-June, the vendor warned that the issue may have been exploited in attacks. … Fortinet addressed the vulnerability on June 11 [in] FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. [But] roughly 335,900 of the FortiGate firewalls reachable over the web … are still vulnerable.
Why? Jai Vijayan explains—“Why Security Appliances Make Popular Targets”:
“China-sponsored threat actors”
CVE-2023-27997 is one of numerous critical Fortinet vulnerabilities. … Like that of almost every other firewall and VPN vendor, Fortinet’s appliances are a popular target for adversaries because of the access they provide to enterprise networks.
…
In June 2022, for instance, CISA warned of China-sponsored threat actors actively targeting unpatched vulnerabilities in network devices from a wide range of vendors. The advisory included a list of the most common of these vulnerabilities. The list included vulnerabilities in products from Fortinet, Cisco, Citrix, Netgear, Pulse, QNAP, and Zyxel.
How? Dan Goodin adds—“336,000 servers remain unpatched”:
“The company has yet to explain”
Despite the severity and the availability of a patch, admins have been slow to fix it, researchers said. … The vulnerability … stems from a heap overflow bug.
…
In recent years, several Fortinet products have come under active exploitation. In February, hackers from multiple threat groups began exploiting a critical vulnerability in FortiNAC. … One researcher said that the targeting of the vulnerability, tracked as CVE-2022-39952 led to the “massive installation of webshells” that gave hackers remote access.
…
Last December, an unknown threat actor exploited a different critical vulnerability in the FortiOS SSL-VPN to infect government and government-related organizations with advanced custom-made malware. Fortinet quietly fixed the vulnerability in late November but didn’t disclose it until after the in-the-wild attacks began. The company has yet to explain why.
Who? Caleb Gross counts the exposed—“69% of FortiGate Firewalls Are Vulnerable”:
“Upgrade your firmware immediately”
There are 490,000 affected SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched. You should patch yours now.
…
[We] built an exploit for CVE-2023-27997. … Our exploit smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary, and opens an interactive shell … in approximately one second.
…
If you’ve got a FortiGate firewall, or anything else powered by FortiOS, please … upgrade your firmware immediately. Happy patching!
Easier said than done. Xelas certainly thinks so:
“Maintenance subscriptions”
Fortinet makes it very hard to stay on top of firmware updates. Their firmware updates often break … things in a really bad way. … Their QA is really bad.
…
They have multiple concurrent releases in various stages of stability – for example, their FortiOS for firewalls currently has active and supported branches on versions 6.4.x, 7.0.X, 7.2.x, and 7.4.x, but not every firewall model is supported by every branch, so if you have a mix of devices, it would take serious homework to identify which FortiOS to settle on.
…
IT is always balancing staying up-to-date on security vs deploying an update that can easily take down sites that would then require dispatching hundreds of techs to fix. And some bugs don’t manifest quickly so are difficult to catch. … They’ve also started gate-keeping firmware updates behind maintenance subscriptions.
Wait. Pause. Fortinet wants you to pay to get security updates? Yes, according to u/LVsFINEST:
Unfortunately. … I get the following message when I go there … while logged into my Fortinet account:
Sorry, you don’t have any product covered by Fortinet support contract. Please contact Fortinet partners to purchase Fortinet support contract.
That’s ridiculous. luckytroll saw this coming a mile off:
Fortinet changed the firmware downloads to paywalled … a few months ago. This change meant that it was only a matter of time before huge numbers of out-of-support SMBs and HomeLabs fell prey to a vulnerability like this for which the only respite was to buy a support contract.
…
This marks the end of my days as a FortiGate user. They practically gave away FortiGates to advanced users and partners who wanted to get competent with the technology, but those days are over and they are now forced to milk that userbase … making the casual owner of hardware feel like they are being offered a protection racket style deal to keep the thugs out.
Protection racket? Doogie Howser MD had a similar experience:
You might not think of Fortinet as being “cheap” per se, but at the enterprise level they always win on price (I know this from experience). Problem is, you get what you pay for.
…
The amount of fairly nasty CVEs seems to disproportionately affect Fortinet more than the others in this space and we always seem to be scrambling to play catch up. Buy cheap, buy twice.
Is that fair comment? Martin Blank has hard data:
Fortinet has published 109 CVEs so far this year alone. They published another CVSS 9.8 [Monday]: The fourth 9+ CVE published this year. They had twelve last year. They are a nightmare to keep up to date.
Meanwhile, gweihir facepalms furiously:
I mean, come on. A *****ing Heap Overflow in security software? Those can be avoided by sound coding practices and can be found … with fuzz-testing and code scanners.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: lucas Favre (via Unsplash; leveled and cropped)
