Critical Bug Leaves Majority of FortiGate Firewalls Vulnerable to Attack
Bishop Fox Report Highlights Risks
Overt Operator
July 05, 2023
Cybersecurity experts have issued a stern warning concerning a critical vulnerability that has left a considerable majority of Fortinet's SSL-VPN products open to potential cyber-attacks. This vulnerability, referenced as CVE-2023-27997, is present in nearly 70% of FortiGate firewalls globally, according to recent findings.
The vulnerability's significance, and its critical severity rating of 9.8 out of 10, are underscored by the widespread use of Fortinet's SSL-VPN product across numerous government bodies. Lexfo Security vulnerability researchers first identified the flaw, and Fortinet released a corresponding patch in June. However, it acknowledged that "a limited number of cases" may have already been exploited, with the malicious campaign seemingly focused on "government, manufacturing, and critical infrastructure."
Over the weekend, security firm Bishop Fox reported that it had internally developed an exploit for CVE-2023-27997, which sparked renewed concerns. Bishop Fox stated in a blog post, “There are 490,000 affected SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched. You should patch yours now.” This calculation implies over 335,000 instances remain vulnerable to the issue, a concern exacerbated by the fact that the exploit runs in just one second.
Bishop Fox’s research also highlighted that numerous unpatched instances are operating on significantly outdated versions, some of which have already reached their end-of-life years ago. The gravity of this issue has been echoed by several cybersecurity experts who are urging immediate patching to avert potential crises.
Timothy Morris, Tanium's chief security advisor, stressed the urgency of the issue, stating it "cannot be understated" considering the existence of exploit code and the critical placement of these devices on the perimeters of organizations. Furthermore, Morris noted that multiple organizations maintain redundant systems in operation, implying a likely necessity for extensive patching within individual companies.
Andrew Barratt, Vice President at cybersecurity firm Coalfire, likened the CVS rating to the Richter scale, suggesting that a remote code execution on a security appliance is about as severe as it gets. The high volume of vulnerable devices can be attributed to the logistical difficulties of taking these firewalls offline for patch testing, considering the potential impact on business operations.
There has been speculation about the CVE-2023-27997 vulnerability being exploited by Chinese hackers, specifically the Volt Typhoon group, in a cyber-attack on Guam's telecommunications network. While Fortinet dismissed the speculation, it cautioned that it expects all threat actors, including those behind the Volt Typhoon campaign, to exploit unpatched vulnerabilities in widely used software and devices.
Andre van der Walt, Director of Threat Intelligence at Ontinue, warned that the vulnerability could lead to data breaches, ransomware attacks, and other dire consequences. Van der Walt also highlighted a broader trend that Bishop Fox's findings exemplify - patching often significantly lags addressing new vulnerabilities, regardless of the technology involved.