CVE-2023-27997 Is Exploitable, and 69% of FortiGate Firewalls Are Vulnerable

TL;DR

Bishop Fox internally developed an exploit for CVE-2023-27997, a heap overflow in FortiOS—the OS behind FortiGate firewalls—that allows remote code execution. There are 490,000 affected SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched. You should patch yours now.

The Exploit

FIGURE 1 - Remote code execution via CVE-2023-27997 on FortiGate FGVM64 version 7.2.4

Bishop Fox’s Capability Development team built an exploit for CVE-2023-27997 that we’re continuously using to test Cosmos customers. In the screen capture above, our exploit smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary, and opens an interactive shell. This exploit very closely follows the steps detailed in the original blog post by Lexfo, though we had to take a few extra steps that were not mentioned in that post. The exploit runs in approximately one second, which is significantly faster than the demo video on a 64-bit device shown by Lexfo.

Searching Shodan

Several articles published in the wake of this vulnerability's disclosure have suggested that a Shodan search reveals 250,000 FortiGate firewalls exposed on the internet. Many of these articles use the query ssl.cert.subject.cn:FortiGate, which looks for any SSL certificates that were issued to FortiGate. There are a few problems with this query:

• It doesn't specifically filter for SSL VPN interfaces, which is where this vulnerability resides
• It doesn't find devices with certificates that were issued by someone other than Fortinet (e.g., self-signed certificates, reverse proxies, etc.)

For better results, we can search for any servers returning the HTTP response header Server: xxxxxxxx-xxxxx—oddly, this appears to be a reliable fingerprint for devices running FortiOS—and then filter down on those that redirect to /remote/login, the path that exposes the SSL VPN interface.

This query on Shodan CLI will do the trick:

$ shodan count '"Server: xxxxxxxx-xxxxx" http.html:"top.location=/remote/login"'
489337

It returns nearly 490,000 exposed SSL VPN interfaces—roughly twice the number we got when only searching based on SSL certificate.

Finding unpatched devices

By inspecting Fortinet’s released software images, we know that patched FortiOS releases were packaged in May–June 2023. If we search Shodan for those two months in the Last-Modified HTTP response header, we can find devices that've been patched. In the following query, we assume that half of the devices with May-based installations are patched (there are some overlapping versions in this timeframe), and all of the June-based installations are patched.

$ seq 01 31 |
parallel 'printf "2023-05-%02d\n2023-06-%02d\n" {} {}' |
parallel 'date -d {} "+Last-Modified: %a, %d %b %Y" 2>/dev/null' |
parallel --bar 'shodan count "\"Server: xxxxxxxx-xxxxx\" http.html:\"top.location=/remote/login\" \"{}\"" | tr "\n" " "; echo {}' |
awk '{if ($0 ~ /May/) {SUM += $1 / 2} else {SUM += $1}} END {print SUM}'
153414

If only 153,414 devices on the internet are patched, that leaves 335,923 / 489,337 = 69% unpatched. This is certainly concerning—but it's less surprising when looking at internet-facing FortiOS installations graphed by their Last-Modified header values:

FIGURE 2 - FortiOS installations from April 2014 to June 2023

In the graph above, we can clearly see installations clustered around fall 2022 and winter 2023 (likely applying patches for CVE-2022-42475, which we also developed an exploit for), with a small spike near the patch date for CVE-2023-27997 in summer 2023. However, there are a lot of outliers in 2018 and earlier that are hard to see in this linear view, so let’s take a logarithmic view instead:

FIGURE 3 - Logarithmic view of FortiOS installations from April 2014 to June 2023

Wow—looks like there’s a handful of devices running 8-year-old FortiOS on the internet. I wouldn’t touch those with a 10-foot pole.

Fingerprinting versions

We can take our analysis deeper. Again, inspecting released software images, we can map specific dates to specific major versions of FortiOS versions. Let’s look specifically at FortiGate firewalls this time. The graph below is similar to the first one we saw—but each stacked bar is colorized to show the distribution of major versions in each month. Note that this data set draws from a smaller sample of devices (constrained by our ability to fingerprint specific major versions), but this appears to be representative of version distributions across the internet.

FIGURE 4 - FortiOS installations of versions 5,6, and 7 from December 2015 to June 2023

There’s lots of version 7 (released early 2021), and a ton of version 6 which is gradually reaching end of life. But wait—what are those small, hardly visible blue stubs on the left side of the chart? Logarithmic view can help again:

FIGURE 5 - Logarithmic view of FortiOS installations of versions 5,6, and 7 from December 2015 to June 2023

Is that…FortiOS version 5? Those devices are so end-of-life that they fell off the release table linked above. Rest in peace, little ones.

Conclusion

At Bishop Fox, we nerd out on attack surface management statistics like these. We want to see our customers keep their most important assets patched in a timely manner, especially those with vulnerabilities that are proven to be exploitable. If you’ve got a FortiGate firewall, or anything else powered by FortiOS, please follow Fortinet’s advisory for this issue and upgrade your firmware immediately. Happy patching!