This research by the CYFIRMA Research team investigates a critical vulnerability, tracked as CVE-2023-27997, affecting FortiOS and FortiProxy SSL-VPN, a popular operating system and VPN, used in their security products. The vulnerability, known as XORTIGATE, has the potential for remote code execution (RCE) and is being exploited in recent attacks.
The vulnerability poses a significant risk to organizations as it enables remote code execution (RCE) and has already been exploited in recent attacks. The XORTIGATE vulnerability arises from an insecure deserialization flaw found in the SSL VPN portal, allowing attackers to execute arbitrary code with privileges of the targeted user.
Fortinet has identified the affected versions of FortiOS, which include 6.0 to 7.2.4, for FortiProxy 1.1.0 to 7.2.3. Organizations utilizing these versions must act swiftly to patch or upgrade their systems to protect against potential attacks.
The XORTIGATE vulnerability (CVE-2023-27997) was discovered and responsibly reported by researchers. Their expertise and efforts in identifying and disclosing the flaw have contributed to enhancing the overall cybersecurity landscape.
Vulnerability type: Remote Code Execution (RCE)
CVE ID: CVE-2023-27997
CVSS Severity Score: 9.8 [Critical]
Application: Fortinet FortiOS and FortiProxy
Impact: Remote code execution, unauthorized access, data breaches, network compromise
Affected Versions: FortiOS 6.0 – 7.2.4, FortiProxy 1.1.0 – 7.2.3 Patched Available: Yes
CYFIRMA Research has analysed multiple sources, reporting on the XORTIGATE vulnerability, CVE-2023-27997. This vulnerability affects FortiOS and FortiProxy SSL-VPN, an operating system widely utilized in their security products, including firewalls and VPN solutions. It arises from an insecure deserialization flaw present in the SSL VPN portal, allowing an attacker to exploit it remotely.
The vulnerability, classified as critical, enables attackers to execute arbitrary code with the privileges of the targeted user. It has the potential to compromise the confidentiality, integrity, and availability of affected systems. Successful exploitation of this flaw could result in unauthorized access, data exfiltration, network compromise, or complete control of the target system.
The exact details of the attacks are not disclosed, the potential impact of successful exploitation raises significant concerns for organizations utilizing FortiOS and FortiProxy SSL-VPN.
Shodan’s data reveals that over 200,000 Fortigate firewalls are currently accessible on the Internet, indicating a substantial presence of these devices. Given the vulnerability’s impact on earlier firmware versions, it is highly likely that a considerable portion of these firewalls remain susceptible to potential attacks. This underscores the urgent need for users to assess and address their Fortigate firewall configurations to mitigate the associated risks.
If successfully exploited, the XORTIGATE vulnerability (CVE-2023-27997) poses serious risks to organizations. The potential impacts include:
The XORTIGATE vulnerability (CVE-2023-27997) impacts the following versions of FortiOS and FortiProxy SSL-VPN:
The bug discovered is in the web interface used for VPN authentication, which is exposed to the internet. By sending a specially crafted HTTP parameter named “enc” to the path “/remote/hostcheck_validate,” an attacker can trigger a heap overflow bug.
The “enc” parameter contains encrypted data, including a seed, size, and actual data. The seed is used to compute a XOR keystream, and the other states of the keystream are calculated based on the previous state.
By XORing the keystream with the encrypted payload, the data can be decrypted. However, there is a bug in the code that handles the decryption process. The length of the payload is compared to the length of the given data, but due to a mismatch in the encoding, the given length can be twice as big as it should be. This bug allows an attacker to overwrite memory beyond the allocated buffer and XOR it with MD5 hashes.
To exploit this vulnerability, researchers explored various ideas. One approach involves modifying pointers by XORing them with a specific value, but it requires finding suitable MD5 hashes and may result in garbled data before the modified pointer. Another approach involves leveraging the underlying allocator, jemalloc, which allows for contiguous allocations and consistent allocation at the same memory address. By triggering the bug twice with the same parameters, it becomes possible to XOR bytes with the same value, except for one byte that can be set to zero. This provides a way to edit bytes in memory.
We also see a more efficient method for overwriting multiple bytes at once by applying the primitive with different seeds and lengths. By carefully computing the seeds, it becomes possible to set specific bytes to desired values. It’s important to note that this is a highly technical and detailed vulnerability analysis.
To detect the vulnerability in Fortigate devices, Fortigate users can employ the following method using the command line interface (CLI):
Run the command “diagnose sys fortiguard-service status” on the Fortigate device. The output will display the FortiOS Version. If the version is 7.2.5 or higher, it indicates that the device is not vulnerable. However, if the version is lower than these specified numbers, the device is considered vulnerable and requires immediate patching.
Alternatively, users can utilize external tools like Nmap or Shodan to scan their Fortigate devices for open ports associated with SSL VPN, such as port 443 or 10443. By examining the banner information retrieved, users can identify the FortiOS version number and determine if their devices are susceptible to the vulnerability.
Taking these detection measures will assist Fortigate users in identifying the vulnerability status of their devices and enable them to take appropriate actions such as applying patches or updates to secure their systems.
To mitigate the risks associated with the XORTIGATE vulnerability, organizations are strongly advised to follow these steps:
Based on the available information regarding the XORTIGATE vulnerability (CVE-2023- 27997) in FortiOS and FortiProxy SSL-VPN, it can potentially impact organizations worldwide that utilize Fortinet’s security products with the affected versions. Fortinet’s products are widely used globally, making the vulnerability relevant to organizations in various geographical regions.
Attackers may target organizations in regions where Fortinet products are heavily deployed, including North America, Europe, Asia-Pacific, and other regions with a significant presence of Fortinet infrastructure. The widespread use of Fortinet’s products in these regions increases the potential attack surface and the likelihood of finding vulnerable systems.
The XORTIGATE vulnerability in FortiOS and FortiProxy SSL-VPN can impact organizations across various industries that rely on Fortinet’s security solutions. These industries include but are not limited to healthcare, finance, government, telecommunications, and critical infrastructure sectors.
Threat actors may selectively target industries that handle sensitive information or have a higher reliance on Fortinet’s products. The potential impacts of a successful exploitation, such as unauthorized access, data breaches, and network compromise, make these industries attractive targets for attackers, seeking to exploit the vulnerability.
The XORTIGATE vulnerability (CVE-2023-27997) specifically affects FortiOS and FortiProxy SSL-VPN, the operating system used in their security products. As Fortinet is a prominent provider of cybersecurity solutions, the vulnerability is limited to organizations utilizing Fortinet’s infrastructure, including their firewalls, VPN solutions, and related products.
However, it is essential to note that the potential impact of the vulnerability extends beyond Fortinet’s products. Successful exploitation of the vulnerability can lead to unauthorized access, data breaches, and potential compromise of an organization’s overall technology infrastructure, including network devices, servers, and other connected systems.
Understanding the specific target geography, industries, and technologies affected by the XORTIGATE vulnerability assists organizations in prioritizing their security measures, applying necessary patches, and implementing proactive security controls to mitigate the risk of exploitation.
From underground forums, CYFIRMA Research team has observed that unknown hackers are selling Fortinet and Other Major product RCE Exploits.
Organizations and individuals using FortiOS and FortiProxy SSL-VPN are advised to remain vigilant and take proactive measures to protect their systems from potential attacks related to the XORTIGATE vulnerability (CVE-2023-27997). This includes promptly applying any available patches or security updates released by Fortinet to mitigate the vulnerability.
The XORTIGATE vulnerability (CVE-2023-27997) in FortiOS and FortiProxy SSL-VPN poses a significant risk to organizations utilizing the affected versions. With a low attack complexity level and the potential for remote code execution, unauthorized access, and network compromise, prompt mitigation is crucial. While there is currently no public exploit tool, the absence of proof-of-concept does not guarantee protection. Continuous monitoring is essential as threat actors may attempt to exploit this vulnerability in the near term. As a research company, CYFIRMA emphasizes the importance of proactive vulnerability management, patching, and staying informed through reliable sources to protect against emerging threats.