bishopfox.com Open in urlscan Pro
2606:4700:20::ac43:532a Public Scan

Back to summary

URL:
https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable
Submission: On July 04 via api (July 4th 2023, 2:08:21 am UTC) from TR — Scanned from DE

Form analysis
2 forms found in the DOM

<form id="mktoForm_1049" novalidate="novalidate" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" class="mktoForm mktoHasWidth mktoLayoutLeft" digitalpi-utms-added="true">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
          <div class="mktoAsterix">*</div>Email Address:
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired mktoInvalid"
          aria-required="true" style="width: 320px;" aria-invalid="true"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="1049"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="136-UTJ-516"><input type="hidden" name="Utm_Orig_Medium__c" class="mktoField mktoFieldDescriptor" value="none"><input type="hidden"
    name="Utm_Orig_Source__c" class="mktoField mktoFieldDescriptor" value="none">
</form>

<form novalidate="novalidate" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" class="mktoForm mktoHasWidth mktoLayoutLeft"></form>

Text Content

New from Ponemon Institute: The State of Offensive Security in 2023. Read the
Report ›

Platform
Services
Resources
Customers
Partners
About Us
Get Started

Introducing Cosmos

WINNER OF SC MEDIA'S BEST EMERGING TECHNOLOGY AWARD

See how continuous testing and attack surface management can help you defend
forward.

Request A Demo
Platform Overview

Meet Cosmos (formerly CAST): the continuous offensive security platform designed
to provide proactive defense.

Attack Surface Management

Get unmatched visibility into your changing external attack surface with
continuous discovery and mapping.

Exposure Identification

Eliminate noise and discover critical exposures, including steppingstones to
more complex attack chains.

Continuous Attack Emulation

Emulate real-world attacks to understand exposures and post-exploitation
pathways, then operationalize findings to close attack windows.

The Best Defense is a Great Offense

SEE WHY WE'RE THE LEADERS IN OFFENSIVE SECURITY

Explore Services
Application Security

Ensure your applications are secure and improve your DevSecOps practices.

* Application Pen Testing
* Hybrid App Assessment
* Mobile App Assessment
* View More

Red Team & Readiness

Get a holistic view of your ability to defend against a real-world attack.

* Social Engineering
* Incident Response Tabletop Exercise
* Ransomware Readiness

IoT & Product Security

Validate interconnected devices and products are secure against attackers.

Cloud Security

Assess cloud security posture with expert testing and analysis of your
environment.

Network Security

Get insight into how skilled adversaries could establish network access and put
sensitive systems and data at risk.

* External Pen Testing
* Internal Pen Testing
* Continuous Attack Surface Testing

Compliance, Regulations, & Frameworks

Satisfy governance, risk, and compliance programs with our testing services.

Assessments for Our Partners

We're proud to work with Google, Facebook, and Amazon to increase security in
their partner ecosystems.

* Cloud App Security Assessments (CASA)
* Unqork Security Assessments
* Meta Workplace Assessments
* Amazon Alexa Assessments
* ioXt Alliance Testing & Certification
* View More

A Ponemon Institute Report

THE STATE OF OFFENSIVE SECURITY

Get the blueprint. Insights into how mature security organizations invest in
offensive strategies.

Get the Report
Resource Center

Discover new offensive security resources, ranging from reports and eBooks to
slide decks from speaking gigs.

* Webcasts
* Reports
* eBooks & Guides
* Art & Science of Cyber Leadership Series
* Cybersecurity Style Guide
* View All

Bulletins & Advisories

Explore the latest security bulletins and advisories released by our team.

* Exploit for Fortinet CVE-2022-42475
Latest
* View All

Blog

Dive into our blog for insights and perspectives from our offensive security
experts.

* Industry
* Technology

Bishop Fox Labs

Learn more about our research — and our commitment to openly sharing
information.

Research & Tools

We are the innovators behind some of the most popular open source security
tools. Check them out here!

* Tool Talk Series
* What The Vuln Series

Why Partner with Us?

JOIN FORCES WITH THE LEADERS IN OFFENSIVE SECURITY

Independent Assessment by TAG Cyber

Get the Report
Partner Program Overview

Learn about our partner programs and see how we can work together to provide
best-in-class security offerings.

Find a Partner

Check out our awesome ecosystem of trusted partners to find the right solution
for your needs.

Become a Partner

Explore partnership opportunities and apply to join forces with Bishop Fox.

Assessments for Our Partners

We're proud to work with Google, Facebook, and Amazon to increase the security
of their partner ecosystems.

* Cloud Application Security Assessments
* Mobile Application Security Assessment
* Nest Assessments
* Meta Workplace Assessments
* Amazon Alexa Assessments

We're Hiring!

WANT TO WORK WITH THE BEST MINDS IN OFFENSIVE SECURITY?

Be part of an elite team and work on projects that have a real impact.

Explore Openings
Company Overview

Get to know us. Learn about our roots and see why we're on a mission to improve
security for all.

Events

Join us at an upcoming event or peruse our speaking engagements, past and
present.

Newsroom

Read the latest articles, announcements, and press releases from Bishop Fox.

Want to get in touch? We're ready to connect.

Career Opportunities

We're hiring! Explore our open positions and discover why the Fox Den is a great
place to build your career.

Intern & Educational Programs

Starting your offensive security journey? Check out our internships and
educational programs.

Bishop Fox Mexico

¡Celebramos! Bishop Fox is now in Mexico. Learn more about our expansion.

Platform
* Overview
* Platform Overview
* Attack Surface Management
* Exposure Identification
* Continuous Attack Emulation

Services
* Overview
* Application Security
* Red Team & Readiness
* IoT & Product Security
* Cloud Security
* Network Security
* Compliance, Regulations, & Frameworks
* Assessments for Our Partners

Resources
* Overview
* Resource Center
* Bulletins & Advisories
* Blog
* Bishop Fox Labs
* Research & Tools

Customers
Partners
* Overview
* Partner Program Overview
* Find a Partner
* Become a Partner
* Assessments for Our Partners

About Us
* Overview
* Company Overview
* Events
* Newsroom
* Contact Us
* Career Opportunities
* Intern & Educational Programs
* Bishop Fox Mexico

Get Started
Blog // Tech // Jun 30, 2023

CVE-2023-27997 IS EXPLOITABLE, AND 69% OF FORTIGATE FIREWALLS ARE VULNERABLE

By: Caleb Gross, Director of Capability Development

TL;DR

Bishop Fox internally developed an exploit for CVE-2023-27997, a heap overflow
in FortiOS—the OS behind FortiGate firewalls—that allows remote code execution.
There are 490,000 affected SSL VPN interfaces exposed on the internet, and
roughly 69% of them are currently unpatched. You should patch yours now.

THE EXPLOIT

FIGURE 1 - Remote code execution via CVE-2023-27997 on FortiGate FGVM64 version
7.2.4

Bishop Fox’s Capability Development team built an exploit for CVE-2023-27997
that we’re continuously using to test Cosmos customers. In the screen capture
above, our exploit smashes the heap, connects back to an attacker-controlled
server, downloads a BusyBox binary, and opens an interactive shell. This exploit
very closely follows the steps detailed in the original blog post by Lexfo,
though we had to take a few extra steps that were not mentioned in that post.
The exploit runs in approximately one second, which is significantly faster than
the demo video on a 64-bit device shown by Lexfo.

SEARCHING SHODAN

Several articles published in the wake of this vulnerability's disclosure have
suggested that a Shodan search reveals 250,000 FortiGate firewalls exposed on
the internet. Many of these articles use the query
ssl.cert.subject.cn:FortiGate, which looks for any SSL certificates that were
issued to FortiGate. There are a few problems with this query:

* It doesn't specifically filter for SSL VPN interfaces, which is where this
vulnerability resides
* It doesn't find devices with certificates that were issued by someone other
than Fortinet (e.g., self-signed certificates, reverse proxies, etc.)

For better results, we can search for any servers returning the HTTP response
header Server: xxxxxxxx-xxxxx—oddly, this appears to be a reliable fingerprint
for devices running FortiOS—and then filter down on those that redirect to
/remote/login, the path that exposes the SSL VPN interface.

This query on Shodan CLI will do the trick:

$ shodan count '"Server: xxxxxxxx-xxxxx" http.html:"top.location=/remote/login"'
489337

It returns nearly 490,000 exposed SSL VPN interfaces—roughly twice the number we
got when only searching based on SSL certificate.

FINDING UNPATCHED DEVICES

By inspecting Fortinet’s released software images, we know that patched FortiOS
releases were packaged in May–June 2023. If we search Shodan for those two
months in the Last-Modified HTTP response header, we can find devices that've
been patched. In the following query, we assume that half of the devices with
May-based installations are patched (there are some overlapping versions in this
timeframe), and all of the June-based installations are patched.

$ seq 01 31 |
parallel 'printf "2023-05-%02d\n2023-06-%02d\n" {} {}' |
parallel 'date -d {} "+Last-Modified: %a, %d %b %Y" 2>/dev/null' |
parallel --bar 'shodan count "\"Server: xxxxxxxx-xxxxx\" http.html:\"top.location=/remote/login\" \"{}\"" | tr "\n" " "; echo {}' |
awk '{if ($0 ~ /May/) {SUM += $1 / 2} else {SUM += $1}} END {print SUM}'
153414

If only 153,414 devices on the internet are patched, that leaves 335,923 /
489,337 = 69% unpatched. This is certainly concerning—but it's less surprising
when looking at internet-facing FortiOS installations graphed by their
Last-Modified header values:

FIGURE 2 - FortiOS installations from April 2014 to June 2023

In the graph above, we can clearly see installations clustered around fall 2022
and winter 2023 (likely applying patches for CVE-2022-42475, which we also
developed an exploit for), with a small spike near the patch date for
CVE-2023-27997 in summer 2023. However, there are a lot of outliers in 2018 and
earlier that are hard to see in this linear view, so let’s take a logarithmic
view instead:

FIGURE 3 - Logarithmic view of FortiOS installations from April 2014 to
June 2023

Wow—looks like there’s a handful of devices running 8-year-old FortiOS on the
internet. I wouldn’t touch those with a 10-foot pole.

FINGERPRINTING VERSIONS

We can take our analysis deeper. Again, inspecting released software images, we
can map specific dates to specific major versions of FortiOS versions. Let’s
look specifically at FortiGate firewalls this time. The graph below is similar
to the first one we saw—but each stacked bar is colorized to show the
distribution of major versions in each month. Note that this data set draws from
a smaller sample of devices (constrained by our ability to fingerprint specific
major versions), but this appears to be representative of version distributions
across the internet.

FIGURE 4 - FortiOS installations of versions 5,6, and 7 from December 2015 to
June 2023

There’s lots of version 7 (released early 2021), and a ton of version 6 which is
gradually reaching end of life. But wait—what are those small, hardly visible
blue stubs on the left side of the chart? Logarithmic view can help again:

FIGURE 5 - Logarithmic view of FortiOS installations of versions 5,6, and 7 from
December 2015 to June 2023

Is that…FortiOS version 5? Those devices are so end-of-life that they fell off
the release table linked above. Rest in peace, little ones.

CONCLUSION

At Bishop Fox, we nerd out on attack surface management statistics like these.
We want to see our customers keep their most important assets patched in a
timely manner, especially those with vulnerabilities that are proven to be
exploitable. If you’ve got a FortiGate firewall, or anything else powered by
FortiOS, please follow Fortinet’s advisory for this issue and upgrade your
firmware immediately. Happy patching!

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

*
Email Address:

Submit

Thank You! You have been subscribed.

--------------------------------------------------------------------------------

About the author, Caleb Gross

Director of Capability Development

Caleb Gross is the Director of the Capability Development at Bishop Fox where he
leads a team of offensive security professionals specializing in attack surface
research and vulnerability intelligence. Prior to coming to Bishop Fox, he
served as an exploitation operator in the US Department of Defense's most elite
computer network exploitation (CNE) unit. As a top-rated military officer, Caleb
led an offensive operations team in the US Air Force's premier selectively
manned cyber attack squadron.

More by Caleb

bishopfox.com Open in urlscan Pro 2606:4700:20::ac43:532a Public Scan

Form analysis 2 forms found in the DOM

Text Content

bishopfox.com Open in urlscan Pro
2606:4700:20::ac43:532a Public Scan

Form analysis
2 forms found in the DOM