News

WITHOUT A NET — 336,000 servers remain unpatched against critical Fortigate vulnerability 69 percent of devices have yet to receive patch for flaw allowing remote code execution.

Dan Goodin – Jul 3, 2023 7:46 pm UTC Enlarge reader comments 27 with

Researchers say that nearly 336,000 devices exposed to the Internet remain vulnerable to a critical vulnerability in firewalls sold by Fortinet because admins have yet to install patches the company released three weeks ago.

CVE-2023-27997 is a remote code execution in Fortigate VPNs, which are included in the companys firewalls. The vulnerability, which stems from a heap overflow bug, has a severity rating of 9.8 out of 10. Fortinet released updates silently patching the flaw on June 8 and disclosed it four days later in an advisory that said it may have been exploited in targeted attacks. That same day, the US Cybersecurity and Infrastructure Security Administration added it to its catalog of known exploited vulnerabilities and gave federal agencies until Tuesday to patch it.

Despite the severity and the availability of a patch, admins have been slow to fix it, researchers said.

Security firm Bishop Fox on Friday, citing data retrieved from queries of the Shodan search engine, said that of 489,337 affected devices exposed on the internet, 335,923 of themor 69 percentremained unpatched. Bishop Fox said that some of the vulnerable machines appeared to be running Fortigate software that hadnt been updated since 2015.

Wowlooks like theres a handful of devices running 8-year-old FortiOS on the Internet, Caleb Gross, director of capability development at Bishop Fox, wrote in Fridays post. I wouldnt touch those with a 10-foot pole.

Gross reported that Bishop Fox has developed an exploit to test customer devices.

The screen capture above shows the proof-of-concept exploit corrupting the heap, a protected area of computer memory thats reserved for running applications. The corruption injects malicious code that connects to an attacker-controlled server, downloads the BusyBox utility for Unix-like operating systems, and opens an interactive shell that allows commands to be remotely issued by the vulnerable machine. The exploit requires only about one second to complete. The speed is an improvement over a PoC Lexfo released on June 13. Advertisement

Further ReadingA world of hurt for Fortinet and ManageEngine after users fail to install patchesIn recent years, several Fortinet products have come under active exploitation. In February, hackers from multiple threat groups began exploiting a critical vulnerability in FortiNAC, a network access control solution that identifies and monitors devices connected to a network. One researcher said that the targeting of the vulnerability, tracked as CVE-2022-39952 led to the massive installation of webshells that gave hackers remote access to compromised systems.

Further ReadingFortinet says hackers exploited critical vulnerability to infect VPN customersLast December, an unknown threat actor exploited a different critical vulnerability in the FortiOS SSL-VPN to infect government and government-related organizations with advanced custom-made malware. Fortinet quietly fixed the vulnerability in late November but didnt disclose it until after the in-the-wild attacks began. The company has yet to explain why or say what its policy is for disclosing vulnerabilities in its products.

Further ReadingFortinet says hackers exploited critical vulnerability to infect VPN customersAnd in 2021, a trio of vulnerabilities in Fortinets FortiOS VPNtwo patched in 2019 and one a year laterwere targeted by attackers attempting to access multiple government, commercial, and technology services.

So far, there are few details about the active exploits of CVE-2023-27997 that Fortinet said may be underway. Volt Typhoon, the tracking name for a Chinese-speaking threat group, has actively exploited CVE-2023-40684, a separate Fortigate vulnerability of similar high severity. Fortinet said in its June 12 disclosure that it would be in keeping with Volt Typhoon to pivot to exploiting CVE-2023-27997, which Fortinet tracks under the internal designation FG-IR-23-097.

At this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign, however Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices, Fortinet said at the time. For this reason, Fortinet urges immediate and ongoing mitigation through an aggressive patching campaign.

Listing image by Getty Images reader comments 27 with Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars

Articles You May Like

Harmful dye now banned in US after being put in American food for 118 years
Childhood vaccination rates, a rare health bright spot in struggling states, are slipping
Major crafts retailer files for bankruptcy for second time in less than a year
Company behind Trumps favorite drink goes above and beyond for the inauguration
Bitcoin May Target $145,000 To $249,000 Under Trump Administration: Report