Blog: Fortigate CVE-2023-27997 (XORtigate) in the eyes of the owl

Author: Flo
Published on

Patrowl's blog - Fortigate CVE-2023-27997

On Friday, 11th of 2023, Fortinet quietly released a set of patches for most of their products. The security fixes included versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

Love Sunday

On Sunday, 13th of June 2023, Fortinet quietly released a set of patches for most of their products. The security fixes included versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

However, two days ago, a tweet from Charles Fol (special thanks to him), a Lexfo Security vulnerability researcher, revealed that the FortiOS updates addressed a critical Remote Code Execution (RCE) vulnerability. The vulnerability was identified as CVE-2023-27997, but no further details were provided in the tweet, which can be found at the following link: https://twitter.com/cfreal_/status/1667852157536616451?s=20.

The limited information provided by Fortinet regarding this publication has left all IT teams in a state of uncertainty, as they are unable to ascertain the true severity, impact, and exploitability of the vulnerability.

Love Patrowl

Considering the history of recent vulnerabilities in Fortinet products, such as the widely exploitable CVE-2022-40684 (Authentication bypass), it was crucial to take no chances. Therefore, we immediately alerted and advised all our clients to patch their systems before the release of the Fortinet Security Bulletin and the subsequent likely release of exploitation code.

This incident highlights the value and effectiveness of Patrowl EASM. With our comprehensive asset mapping, we were able to swiftly and accurately identify all exposed Fortinet VPN-SSL interfaces across our clients' environments. Instead of spending hours manually searching for potentially vulnerable interfaces within a larger EASM solution, our automation quickly identified the interfaces that were highly likely to be vulnerable, exploited, and in need of urgent patching.

By leveraging Patrowl EASM, our clients were able to respond promptly and effectively, mitigating the risks associated with this vulnerability.

More than 50 interfaces VPN-SSL have been found, and all our client were warned with all necessary qualified information, allow them to launch patch remediations before the release of the Fortinet Security bulletin.

Patrowl's blog - Fortigate CVE-2023-27997

Simultaneously, prioritizing our clients' security and patching needs, we have developed an efficient method to automatically verify if the latest security patches have been installed.

Blind Detection

The process of developing and stabilizing the exploitation code for over 50 different interfaces, each using various stacks and versions, would be both time-consuming and risky. Considering that the vulnerability appears to be a Heap Overflow, the potential for crashing production appliances is significantly high. Consequently, pursuing this path is not a viable option.

However, it was crucial for us to find a solution that enables precise detection of the vulnerability status on the appliance. This way, our client can effectively monitor the patching progress and assess their exposure to potential risks

As an alternative approach, we considered determining the version in a black box manner from an external perspective. However, this task is inherently challenging, particularly for VPN-SSL interfaces that generate a minimal number of requests. Complicating matters further, the manufacturers do not provide any indications regarding the version of the appliance.

To address this, we set up a laboratory environment where we configured seven different versions of FortiOS, each equipped with a VPN-SSL installation. The objective was to identify any notable differences among the exposed VPN-SSL interfaces across these versions. Here is an excerpt highlighting the variations observed in the patched version 6.4.13:

Patrowl's blog - Fortigate CVE-2023-27997Patrowl's blog - Fortigate CVE-2023-27997

As you can, see few differences:

  1. We have a different hash in parameter q on login.js request. However, no clear pattern has been found on that hash and related version (all hashes were different in all interfaces).
  2. Second hint, the size of https://x.x.x.x:3000/remote/login?lang=en (len 972458 vs 972088). A quick diff allows us to see than on the last versions, a parameter has been had to the main page:
$diff 6.4.12.result 6.4.13.result
9592a9593
> "confirm_pkg_upgrade_invalid_signature": "***WARNING: This package file has
no signature for validation.*** <br>Fortinet cannot verify the authenticity
of this package and therefore there may be a risk that the package contains
code unknown to Fortinet. In short, Fortinet cannot validate the package and
makes no warranties or representations concerning the package.",

Great! After performing some checks on other versions (7.0.12, 7.2.5, etc.), it was confirmed that this particular key was only present in the latest patched version. With this information, we can proceed to create a rapid and basic nuclei template that will accurately determine whether the interfaces are patched or not. This approach ensures that we can conduct the necessary checks without risking any service interruptions or negative impacts on the VPN-SSL Solution used in business environment.

id: cve-2023-27997

info:
  name: Detect unpatched (cve-2023-27997) FortiOS VPN Interface
  author: Patrowl
  severity: critical
  description: A heap-based buffer overflow vulnerability [CWE-122] in
FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and
below, version 6.0.16 and below and FortiProxy version 7.2.3 and below,
version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions,
version 1.1 all versions SSL-VPN may allow a remote attacker to execute
arbitrary code or commands via specifically crafted requests.

  reference:
    - [https://blog.lexfo.fr/xortigate-cve-2023-27997.html](https://blog.lexfo.fr/xortigate-cve-2023-27997.html){:target="_blank"}
    - [https://nvd.nist.gov/vuln/detail/CVE-2023-27997](https://nvd.nist.gov/vuln/detail/CVE-2023-27997){:target="_blank"}
    - [https://www.fortiguard.com/psirt/FG-IR-23-097](https://www.fortiguard.com/psirt/FG-IR-23-097){:target="_blank"}
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-27997
  tags: cve,cve2023,fortinet,fortios

http:
  - method: GET
    redirects: true
    max-redirects: 3
    path:
      - '{{BaseURL}}/remote/fgt_lang?lang=en'

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "confirm_pkg_upgrade_invalid_signature"
        part: body
        negative: true
      - type: word
        words:
          - "confirm_not_sig"
        part: body

Notes: The template has been tested and validated for version 7.4.0 (and below), 7.0.12 (and below), 6.4.13 (and below). But all new updates on other major branches seems to include the new keyword.

Conclusion

Our client efficiently patched 90% of detected Fortinet VPN-SSL interfaces within 2 days, and all patches have been automatically verified by Patrowl.

Using the pragmatic EASM approach, coupled with automated and adapted Pentest-as-a-Service methodology. These actions were taken even before the release of the Fortinet Security Bulletin. This success demonstrates the effectiveness of our approach in addressing security vulnerabilities.

Over the years, Fortinet products have become prime targets for automated external attacks, as evidenced by the numerous critical CVEs and readily available exploitation codes, such as the notable example in 2022.

However, the way Fortinet handles security bulletins and patching raises concerns. Releasing the security bulletin only a few days after the patch do not provide sufficient information for IT teams to effectively manage the patching process, particularly when dealing with sensitive VPN-SSL interfaces on production appliances.

While we were aware of the criticality of the CVEs based on our knowledge of recent Fortinet vulnerabilities, the process should be revised to ensure that IT teams have access to all relevant information. This way, they can make informed decisions regarding the severity and exploitability of the patched vulnerabilities and determine the appropriate timing for applying the patches.

References

https://www.fortiguard.com/psirt/FG-IR-23-097
https://www.bleepingcomputer.com/news/security/fortinet-new-fortios-rce-bug-may-have-been-exploited-in-attacks/
https://twitter.com/cfreal_/status/1667852157536616451
https://blog.lexfo.fr/xortigate-cve-2023-2797.html

Blog: We Wanted to Talk About Cyberattacks During the Olympics, but We Have Nothing to Say

Patrowl Raises €11m in Series A Funding: Continuous Protection of Internet Exposed Assets

Blog: regreSSHion, critical vulnerability on OpenSSH CVE-2024-6387