-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #675 from DIVD-NL/xortigate-close
Close xortgiate
- Loading branch information
Showing
1 changed file
with
96 additions
and
89 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,89 +1,96 @@ | ||
| --- | ||
| layout: case | ||
| title: "Critical Fortinet SSL-VPN RCE Vulnerability" | ||
| excerpt: "A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests." | ||
| author: Boaz Braaksma | ||
| lead: Ralph Horn | ||
| status: Open | ||
| researchers: | ||
| - Axel Boesenach | ||
| - Victor Pasman | ||
| - Lennaert Oudshoorn | ||
| - Max van der Horst | ||
| - Alwin Warringa | ||
| - Boaz Braaksma | ||
| - Ralph Horn | ||
| cves: | ||
| - CVE-2023-27997 | ||
| product: "FortiOS-6K7K, FortiProxy, and FortiOS" | ||
| versions: | ||
| - FortiOS-6K7K version 7.0.10 | ||
| - FortiOS-6K7K version 7.0.5 | ||
| - FortiOS-6K7K version 6.4.12 | ||
| - FortiOS-6K7K version 6.4.10 | ||
| - FortiOS-6K7K version 6.4.8 | ||
| - FortiOS-6K7K version 6.4.6 | ||
| - FortiOS-6K7K version 6.4.2 | ||
| - FortiOS-6K7K version 6.2.9 through 6.2.13 | ||
| - FortiOS-6K7K version 6.2.6 through 6.2.7 | ||
| - FortiOS-6K7K version 6.2.4 | ||
| - FortiOS-6K7K version 6.0.12 through 6.0.16 | ||
| - FortiOS-6K7K version 6.0.10 | ||
| - FortiProxy version 7.2.0 through 7.2.3 | ||
| - FortiProxy version 7.0.0 through 7.0.9 | ||
| - FortiProxy version 2.0.0 through 2.0.12 | ||
| - FortiProxy 1.2 all versions | ||
| - FortiProxy 1.1 all versions | ||
| - FortiOS version 7.2.0 through 7.2.4 | ||
| - FortiOS version 7.0.0 through 7.0.11 | ||
| - FortiOS version 6.4.0 through 6.4.12 | ||
| - FortiOS version 6.2.0 through 6.2.13 | ||
| - FortiOS version 6.0.0 through 6.0.16 | ||
| recommendation: "Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory." | ||
| patch_status: Fuly patched | ||
| -workaround: Disable SSL VPN or only allow whitelisted IPs | ||
| status : Open | ||
| start: 2023-06-09 | ||
| end: | ||
| timeline: | ||
| - start: 2023-06-09 | ||
| end: | ||
| event: "Fortinet released security fixes" | ||
| - start: 2023-06-09 | ||
| end: | ||
| event: "DIVD starts tracking this vulnerability" | ||
| - start: 2023-07-13 | ||
| end: | ||
| event: "Fortinet publishes security advisory" | ||
| - start: 2023-06-12 | ||
| end: | ||
| event: "DIVD starts researching fingerprint" | ||
| - start: 2023-06-13 | ||
| end: | ||
| event: DIVD identifies vulnerable devices" | ||
| - start: 2023-07-17 | ||
| end: | ||
| event: "Fox-IT/NCC Group shares data of more vulnerable devices with DIVD" | ||
| - start: 2023-07-17 | ||
| end: | ||
| event: "First version of this casefile" | ||
| --- | ||
|
|
||
| ## Summary | ||
| Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023 (known to us as DIVD-2022-00063) where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild, the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of this new critical SSL-VPN RCE Vulnerability. | ||
| According to a blog, posted by BishopFox, there were nearly 490,000 affected SSL VPN interfaces exposed on the internet on June 30th of 2023. Roughly 69% of them were at that time unpatched. | ||
| ## What you can do | ||
| Upgrade your SSL VPN instance to the latest version or apply the work-around: disable SSL VPN or only allow whitelisted IPs. | ||
|
|
||
| ## What we are doing | ||
| DIVD is currently scanning for vulnerable instances connected to the public internet. We would like to thank Fox-IT / NCC Group for the data on this vulnerability that we will use to notify owners of vulnerable systems. Owners of vulnerable systems will receive a notification with instructions to update their system. | ||
|
|
||
| {% include timeline.html %} | ||
|
|
||
| ## More information | ||
| * {% cve CVE-2023-27997 %} | ||
| * [Fortinet Security Advisory](https://www.fortiguard.com/psirt/FG-IR-23-097) | ||
| * [Fortinet PSIRT Blog CVE-2023-27997](https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign) | ||
| * [Fortinet PSIRT Blog 2022-42475 ](https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd) | ||
| * [DIVD case CVE-2022-42475](https://csirt.divd.nl/csirt-divd-nl/cases/DIVD-2022-00063/) | ||
| * [Bishop Fox Blog](https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable) | ||
| --- | ||
| layout: case | ||
| title: "Critical Fortinet SSL-VPN RCE Vulnerability" | ||
| excerpt: "A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests." | ||
| author: Boaz Braaksma | ||
| lead: Ralph Horn | ||
| status: Closed | ||
| researchers: | ||
| - Axel Boesenach | ||
| - Victor Pasman | ||
| - Lennaert Oudshoorn | ||
| - Max van der Horst | ||
| - Alwin Warringa | ||
| - Boaz Braaksma | ||
| - Ralph Horn | ||
| cves: | ||
| - CVE-2023-27997 | ||
| product: "FortiOS-6K7K, FortiProxy, and FortiOS" | ||
| versions: | ||
| - FortiOS-6K7K version 7.0.10 | ||
| - FortiOS-6K7K version 7.0.5 | ||
| - FortiOS-6K7K version 6.4.12 | ||
| - FortiOS-6K7K version 6.4.10 | ||
| - FortiOS-6K7K version 6.4.8 | ||
| - FortiOS-6K7K version 6.4.6 | ||
| - FortiOS-6K7K version 6.4.2 | ||
| - FortiOS-6K7K version 6.2.9 through 6.2.13 | ||
| - FortiOS-6K7K version 6.2.6 through 6.2.7 | ||
| - FortiOS-6K7K version 6.2.4 | ||
| - FortiOS-6K7K version 6.0.12 through 6.0.16 | ||
| - FortiOS-6K7K version 6.0.10 | ||
| - FortiProxy version 7.2.0 through 7.2.3 | ||
| - FortiProxy version 7.0.0 through 7.0.9 | ||
| - FortiProxy version 2.0.0 through 2.0.12 | ||
| - FortiProxy 1.2 all versions | ||
| - FortiProxy 1.1 all versions | ||
| - FortiOS version 7.2.0 through 7.2.4 | ||
| - FortiOS version 7.0.0 through 7.0.11 | ||
| - FortiOS version 6.4.0 through 6.4.12 | ||
| - FortiOS version 6.2.0 through 6.2.13 | ||
| - FortiOS version 6.0.0 through 6.0.16 | ||
| recommendation: "Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory." | ||
| patch_status: Fuly patched | ||
| -workaround: Disable SSL VPN or only allow whitelisted IPs | ||
| status : Closed | ||
| start: 2023-06-09 | ||
| end: 2023-09-26 | ||
| timeline: | ||
| - start: 2023-06-09 | ||
| end: | ||
| event: "Fortinet released security fixes" | ||
| - start: 2023-06-09 | ||
| end: | ||
| event: "DIVD starts tracking this vulnerability" | ||
| - start: 2023-07-13 | ||
| end: | ||
| event: "Fortinet publishes security advisory" | ||
| - start: 2023-06-12 | ||
| end: | ||
| event: "DIVD starts researching fingerprint" | ||
| - start: 2023-06-13 | ||
| end: | ||
| event: DIVD identifies vulnerable devices" | ||
| - start: 2023-07-17 | ||
| end: | ||
| event: "Fox-IT/NCC Group shares data of more vulnerable devices with DIVD" | ||
| - start: 2023-07-17 | ||
| end: | ||
| event: "First version of this casefile" | ||
| - start: 2023-08-07 | ||
| end: | ||
| event: "First Mailrun." | ||
| - start: 2023-09-26 | ||
| end: | ||
| event: "Case closed after monitoring phase." | ||
| ips: 242047 | ||
| --- | ||
|
|
||
| ## Summary | ||
| Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023 (known to us as DIVD-2022-00063) where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild, the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of this new critical SSL-VPN RCE Vulnerability. | ||
| According to a blog, posted by BishopFox, there were nearly 490,000 affected SSL VPN interfaces exposed on the internet on June 30th of 2023. Roughly 69% of them were at that time unpatched. | ||
| ## What you can do | ||
| Upgrade your SSL VPN instance to the latest version or apply the work-around: disable SSL VPN or only allow whitelisted IPs. | ||
|
|
||
| ## What we are doing | ||
| DIVD is currently scanning for vulnerable instances connected to the public internet. We would like to thank Fox-IT / NCC Group for the data on this vulnerability that we will use to notify owners of vulnerable systems. Owners of vulnerable systems will receive a notification with instructions to update their system. | ||
|
|
||
| {% include timeline.html %} | ||
|
|
||
| ## More information | ||
| * {% cve CVE-2023-27997 %} | ||
| * [Fortinet Security Advisory](https://www.fortiguard.com/psirt/FG-IR-23-097) | ||
| * [Fortinet PSIRT Blog CVE-2023-27997](https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign) | ||
| * [Fortinet PSIRT Blog 2022-42475 ](https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd) | ||
| * [DIVD case CVE-2022-42475](https://csirt.divd.nl/csirt-divd-nl/cases/DIVD-2022-00063/) | ||
| * [Bishop Fox Blog](https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable) |