From be1885e4b37da4a0b1672fbc0b6976d855af11b4 Mon Sep 17 00:00:00 2001 From: Maximand Date: Tue, 26 Sep 2023 10:10:14 +0200 Subject: [PATCH 1/2] Close cases 17, 24, 31 and 33 --- _cases/2023/DIVD-2023-00017.md | 11 +++++++++-- _cases/2023/DIVD-2023-00024.md | 11 +++++++++-- _cases/2023/DIVD-2023-00031.md | 8 ++++++-- _cases/2023/DIVD-2023-00033.md | 8 ++++++-- 4 files changed, 30 insertions(+), 8 deletions(-) diff --git a/_cases/2023/DIVD-2023-00017.md b/_cases/2023/DIVD-2023-00017.md index 6207a10e..fac59c44 100644 --- a/_cases/2023/DIVD-2023-00017.md +++ b/_cases/2023/DIVD-2023-00017.md @@ -3,7 +3,7 @@ layout: case title: "Cisco Small Business Router Authentication Bypass" author: Max van der Horst lead: Max van der Horst -status: Open +status: Closed excerpt: "Cisco RV016, RV042, RV042G and RV082 contain an authentication bypass vulnerability. " researchers: - Max van der Horst @@ -13,7 +13,7 @@ product: "Cisco RV016, RV042, RV042G, RV082" recommendation: "Apply the proposed workaround by restricting access to port 443 and 60443 and disabling remote management." start: 2023-03-15 -end: +end: 2023-09-26 timeline: - start: 2023-03-15 end: @@ -24,6 +24,13 @@ timeline: - start: 2023-03-16 end: event: "DIVD performs first mailrun." +- start: 2023-07-03 + end: + event: "DIVD performs second mailrun." +- start: 2023-09-26 + end: + event: "DIVD closes case after monitoring phase." +ips:7620 --- ## Summary diff --git a/_cases/2023/DIVD-2023-00024.md b/_cases/2023/DIVD-2023-00024.md index c533b250..b4a5e538 100644 --- a/_cases/2023/DIVD-2023-00024.md +++ b/_cases/2023/DIVD-2023-00024.md @@ -3,7 +3,7 @@ layout: case title: "SQL injection in GeoServer - CVE-2023-25157" author: Jeroen van de Weerd lead: Max van der Horst -status: Open +status: Closed excerpt: "GeoServer has a critical SQL injection vulnerability." researchers: - Max van der Horst @@ -18,7 +18,7 @@ versions: recommendation: "Install patches." start: 2023-06-07 -end: +end: 2023-09-26 timeline: - start: 2023-02-20 end: @@ -32,6 +32,13 @@ timeline: - start: 2023-06-07 end: event: "First version of this casefile." +- start: 2023-07-04 + end: + event: "DIVD starts notification round." + - start: 2023-09-26 + end: + event: "Case closed." +ips:94 --- ## Summary diff --git a/_cases/2023/DIVD-2023-00031.md b/_cases/2023/DIVD-2023-00031.md index 3d302f2a..90ed4ca7 100644 --- a/_cases/2023/DIVD-2023-00031.md +++ b/_cases/2023/DIVD-2023-00031.md @@ -17,9 +17,9 @@ versions: recommendation: Update your system to the latest patched version patch_status: Fully patched #workaround: n/a -status : Open +status : Closed start: 2023-07-25 -end: +end: 2023-09-26 timeline: - start: 2022-07-25 end: @@ -30,7 +30,11 @@ timeline: - start: 2023-07-26 end: event: "DIVD is notifying through notification partners" +- start: 2023-09-26 + end: + event: "DIVD decides to close case after monitoring phase." # You can set IPs to n/a when this case isn't about IPs (e.g. stolen credentials) +ips: 1029 --- ## Summary diff --git a/_cases/2023/DIVD-2023-00033.md b/_cases/2023/DIVD-2023-00033.md index 42fc2671..39d9a637 100644 --- a/_cases/2023/DIVD-2023-00033.md +++ b/_cases/2023/DIVD-2023-00033.md @@ -21,9 +21,9 @@ versions: recommendation: Update your system to the latest patched version patch_status: Fully patched #workaround: n/a -status : Open +status : Closed start: 2023-07-18 -end: +end: 2023-09-26 timeline: - start: 2023-07-18 end: @@ -43,8 +43,12 @@ timeline: - start: 2023-08-16 end: event: "DIVD starts collaboration with Shadowserver on data sharing." +- start: 2023-09-26 + end: + event: "DIVD decides to close case after monitoring." # You can set IPs to n/a when this case isn't about IPs (e.g. stolen credentials) +ips: 2497 --- ## Summary From 025e02e38e7204edd8527ee4ae40ebb3a7adca95 Mon Sep 17 00:00:00 2001 From: Maximand Date: Tue, 26 Sep 2023 10:52:23 +0200 Subject: [PATCH 2/2] Close xortgiate --- _cases/2023/DIVD-2023-00029.md | 185 +++++++++++++++++---------------- 1 file changed, 96 insertions(+), 89 deletions(-) diff --git a/_cases/2023/DIVD-2023-00029.md b/_cases/2023/DIVD-2023-00029.md index 774d4e27..5d90473b 100644 --- a/_cases/2023/DIVD-2023-00029.md +++ b/_cases/2023/DIVD-2023-00029.md @@ -1,89 +1,96 @@ ---- -layout: case -title: "Critical Fortinet SSL-VPN RCE Vulnerability" -excerpt: "A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests." -author: Boaz Braaksma -lead: Ralph Horn -status: Open -researchers: -- Axel Boesenach -- Victor Pasman -- Lennaert Oudshoorn -- Max van der Horst -- Alwin Warringa -- Boaz Braaksma -- Ralph Horn -cves: -- CVE-2023-27997 -product: "FortiOS-6K7K, FortiProxy, and FortiOS" -versions: -- FortiOS-6K7K version 7.0.10 -- FortiOS-6K7K version 7.0.5 -- FortiOS-6K7K version 6.4.12 -- FortiOS-6K7K version 6.4.10 -- FortiOS-6K7K version 6.4.8 -- FortiOS-6K7K version 6.4.6 -- FortiOS-6K7K version 6.4.2 -- FortiOS-6K7K version 6.2.9 through 6.2.13 -- FortiOS-6K7K version 6.2.6 through 6.2.7 -- FortiOS-6K7K version 6.2.4 -- FortiOS-6K7K version 6.0.12 through 6.0.16 -- FortiOS-6K7K version 6.0.10 -- FortiProxy version 7.2.0 through 7.2.3 -- FortiProxy version 7.0.0 through 7.0.9 -- FortiProxy version 2.0.0 through 2.0.12 -- FortiProxy 1.2 all versions -- FortiProxy 1.1 all versions -- FortiOS version 7.2.0 through 7.2.4 -- FortiOS version 7.0.0 through 7.0.11 -- FortiOS version 6.4.0 through 6.4.12 -- FortiOS version 6.2.0 through 6.2.13 -- FortiOS version 6.0.0 through 6.0.16 -recommendation: "Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory." -patch_status: Fuly patched --workaround: Disable SSL VPN or only allow whitelisted IPs -status : Open -start: 2023-06-09 -end: -timeline: -- start: 2023-06-09 - end: - event: "Fortinet released security fixes" -- start: 2023-06-09 - end: - event: "DIVD starts tracking this vulnerability" -- start: 2023-07-13 - end: - event: "Fortinet publishes security advisory" -- start: 2023-06-12 - end: - event: "DIVD starts researching fingerprint" -- start: 2023-06-13 - end: - event: DIVD identifies vulnerable devices" -- start: 2023-07-17 - end: - event: "Fox-IT/NCC Group shares data of more vulnerable devices with DIVD" -- start: 2023-07-17 - end: - event: "First version of this casefile" ---- - -## Summary -Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023 (known to us as DIVD-2022-00063) where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild, the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of this new critical SSL-VPN RCE Vulnerability. -According to a blog, posted by BishopFox, there were nearly 490,000 affected SSL VPN interfaces exposed on the internet on June 30th of 2023. Roughly 69% of them were at that time unpatched. -## What you can do -Upgrade your SSL VPN instance to the latest version or apply the work-around: disable SSL VPN or only allow whitelisted IPs. - -## What we are doing -DIVD is currently scanning for vulnerable instances connected to the public internet. We would like to thank Fox-IT / NCC Group for the data on this vulnerability that we will use to notify owners of vulnerable systems. Owners of vulnerable systems will receive a notification with instructions to update their system. - -{% include timeline.html %} - -## More information -* {% cve CVE-2023-27997 %} -* [Fortinet Security Advisory](https://www.fortiguard.com/psirt/FG-IR-23-097) -* [Fortinet PSIRT Blog CVE-2023-27997](https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign) -* [Fortinet PSIRT Blog 2022-42475 ](https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd) -* [DIVD case CVE-2022-42475](https://csirt.divd.nl/csirt-divd-nl/cases/DIVD-2022-00063/) -* [Bishop Fox Blog](https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable) \ No newline at end of file +--- +layout: case +title: "Critical Fortinet SSL-VPN RCE Vulnerability" +excerpt: "A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests." +author: Boaz Braaksma +lead: Ralph Horn +status: Closed +researchers: +- Axel Boesenach +- Victor Pasman +- Lennaert Oudshoorn +- Max van der Horst +- Alwin Warringa +- Boaz Braaksma +- Ralph Horn +cves: +- CVE-2023-27997 +product: "FortiOS-6K7K, FortiProxy, and FortiOS" +versions: +- FortiOS-6K7K version 7.0.10 +- FortiOS-6K7K version 7.0.5 +- FortiOS-6K7K version 6.4.12 +- FortiOS-6K7K version 6.4.10 +- FortiOS-6K7K version 6.4.8 +- FortiOS-6K7K version 6.4.6 +- FortiOS-6K7K version 6.4.2 +- FortiOS-6K7K version 6.2.9 through 6.2.13 +- FortiOS-6K7K version 6.2.6 through 6.2.7 +- FortiOS-6K7K version 6.2.4 +- FortiOS-6K7K version 6.0.12 through 6.0.16 +- FortiOS-6K7K version 6.0.10 +- FortiProxy version 7.2.0 through 7.2.3 +- FortiProxy version 7.0.0 through 7.0.9 +- FortiProxy version 2.0.0 through 2.0.12 +- FortiProxy 1.2 all versions +- FortiProxy 1.1 all versions +- FortiOS version 7.2.0 through 7.2.4 +- FortiOS version 7.0.0 through 7.0.11 +- FortiOS version 6.4.0 through 6.4.12 +- FortiOS version 6.2.0 through 6.2.13 +- FortiOS version 6.0.0 through 6.0.16 +recommendation: "Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory." +patch_status: Fuly patched +-workaround: Disable SSL VPN or only allow whitelisted IPs +status : Closed +start: 2023-06-09 +end: 2023-09-26 +timeline: +- start: 2023-06-09 + end: + event: "Fortinet released security fixes" +- start: 2023-06-09 + end: + event: "DIVD starts tracking this vulnerability" +- start: 2023-07-13 + end: + event: "Fortinet publishes security advisory" +- start: 2023-06-12 + end: + event: "DIVD starts researching fingerprint" +- start: 2023-06-13 + end: + event: DIVD identifies vulnerable devices" +- start: 2023-07-17 + end: + event: "Fox-IT/NCC Group shares data of more vulnerable devices with DIVD" +- start: 2023-07-17 + end: + event: "First version of this casefile" +- start: 2023-08-07 + end: + event: "First Mailrun." +- start: 2023-09-26 + end: + event: "Case closed after monitoring phase." +ips:242047 +--- + +## Summary +Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023 (known to us as DIVD-2022-00063) where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild, the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of this new critical SSL-VPN RCE Vulnerability. +According to a blog, posted by BishopFox, there were nearly 490,000 affected SSL VPN interfaces exposed on the internet on June 30th of 2023. Roughly 69% of them were at that time unpatched. +## What you can do +Upgrade your SSL VPN instance to the latest version or apply the work-around: disable SSL VPN or only allow whitelisted IPs. + +## What we are doing +DIVD is currently scanning for vulnerable instances connected to the public internet. We would like to thank Fox-IT / NCC Group for the data on this vulnerability that we will use to notify owners of vulnerable systems. Owners of vulnerable systems will receive a notification with instructions to update their system. + +{% include timeline.html %} + +## More information +* {% cve CVE-2023-27997 %} +* [Fortinet Security Advisory](https://www.fortiguard.com/psirt/FG-IR-23-097) +* [Fortinet PSIRT Blog CVE-2023-27997](https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign) +* [Fortinet PSIRT Blog 2022-42475 ](https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd) +* [DIVD case CVE-2022-42475](https://csirt.divd.nl/csirt-divd-nl/cases/DIVD-2022-00063/) +* [Bishop Fox Blog](https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable)