You've patched right? '340K+ Fortinet firewalls' wide open to critical security bug

More than 338,000 FortiGate firewalls are still unpatched and vulnerable to CVE-2023-27997, a critical bug Fortinet fixed last month that's being exploited in the wild.

This is according to infosec outfit Bishop Fox, which has developed an example exploit for achieving remote code execution via the hole. Successful exploitation of the pre-authentication vulnerability can allow an intruder to take over the network equipment. Bishop Fox warned: "You should patch yours now."

Fortinet did not respond to The Register's inquiries about how many products remain unpatched.

The bug – rated 9.8 out of 10 in terms of CVSS severity – is a heap-based buffer overflow vulnerability, and affects FortiOS and FortiProxy devices with SSL-VPN enabled. Fortinet disclosed the flaw last month and noted that the issue, which it tracks as FG-IR-23-097, "may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation."

Versions 7.2.5, 7.0.12, 6.4.13, and 6.2.15 of the firmware will patch the hole. But despite the vendor's updates and advice that customers "take immediate action," it appears that hundreds of thousands of boxen have been neglected.

On Friday, Bishop Fox said its searches revealed nearly 490,000 Fortinet SSL-VPN interfaces exposed on the internet, and about 69 percent (338,100) of these remain unpatched.

To come up with this figure, the researchers used Shodan.io to search for servers with HTTP responses indicated the equipment was not up to date.

• Fortinet squashes hijack-my-VPN bug in FortiOS gear
• Here's how Chinese cyber spies exploited a critical Fortinet bug
• A (cautionary) tale of two patched bugs, both exploited in the wild
• Fortinet's latest firewall promises hyperscale security while sipping power

On a side note, the research team also found "a handful of devices" still running eight-year-old FortiOS on the public internet. As Caleb Gross, director of capability development at Bishop Fox, wrote: "I wouldn't touch those with a 10-foot pole."

The team shared a screen capture of their exploit for CVE-2023-27997 in action, which Gross said "smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary, and opens an interactive shell."

The bug was spotted and privately disclosed to Fortigate by Charles Fol and Dany Bach at French security firm Lexfo. Patches were issued on June 8, and Lexfo detailed the flaw and the exploit process on June 13.

For its exploit, however, the Bishop Fox team said they added a few extra steps and achieved a "significantly faster" exploit compared to Lexfo's exploit of an Intel x64 device. Bishop Fox's attack takes about a second. ®