From 025e02e38e7204edd8527ee4ae40ebb3a7adca95 Mon Sep 17 00:00:00 2001 From: Maximand Date: Tue, 26 Sep 2023 10:52:23 +0200 Subject: [PATCH 1/3] Close xortgiate --- _cases/2023/DIVD-2023-00029.md | 185 +++++++++++++++++---------------- 1 file changed, 96 insertions(+), 89 deletions(-) diff --git a/_cases/2023/DIVD-2023-00029.md b/_cases/2023/DIVD-2023-00029.md index 774d4e27..5d90473b 100644 --- a/_cases/2023/DIVD-2023-00029.md +++ b/_cases/2023/DIVD-2023-00029.md @@ -1,89 +1,96 @@ ---- -layout: case -title: "Critical Fortinet SSL-VPN RCE Vulnerability" -excerpt: "A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests." -author: Boaz Braaksma -lead: Ralph Horn -status: Open -researchers: -- Axel Boesenach -- Victor Pasman -- Lennaert Oudshoorn -- Max van der Horst -- Alwin Warringa -- Boaz Braaksma -- Ralph Horn -cves: -- CVE-2023-27997 -product: "FortiOS-6K7K, FortiProxy, and FortiOS" -versions: -- FortiOS-6K7K version 7.0.10 -- FortiOS-6K7K version 7.0.5 -- FortiOS-6K7K version 6.4.12 -- FortiOS-6K7K version 6.4.10 -- FortiOS-6K7K version 6.4.8 -- FortiOS-6K7K version 6.4.6 -- FortiOS-6K7K version 6.4.2 -- FortiOS-6K7K version 6.2.9 through 6.2.13 -- FortiOS-6K7K version 6.2.6 through 6.2.7 -- FortiOS-6K7K version 6.2.4 -- FortiOS-6K7K version 6.0.12 through 6.0.16 -- FortiOS-6K7K version 6.0.10 -- FortiProxy version 7.2.0 through 7.2.3 -- FortiProxy version 7.0.0 through 7.0.9 -- FortiProxy version 2.0.0 through 2.0.12 -- FortiProxy 1.2 all versions -- FortiProxy 1.1 all versions -- FortiOS version 7.2.0 through 7.2.4 -- FortiOS version 7.0.0 through 7.0.11 -- FortiOS version 6.4.0 through 6.4.12 -- FortiOS version 6.2.0 through 6.2.13 -- FortiOS version 6.0.0 through 6.0.16 -recommendation: "Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory." -patch_status: Fuly patched --workaround: Disable SSL VPN or only allow whitelisted IPs -status : Open -start: 2023-06-09 -end: -timeline: -- start: 2023-06-09 - end: - event: "Fortinet released security fixes" -- start: 2023-06-09 - end: - event: "DIVD starts tracking this vulnerability" -- start: 2023-07-13 - end: - event: "Fortinet publishes security advisory" -- start: 2023-06-12 - end: - event: "DIVD starts researching fingerprint" -- start: 2023-06-13 - end: - event: DIVD identifies vulnerable devices" -- start: 2023-07-17 - end: - event: "Fox-IT/NCC Group shares data of more vulnerable devices with DIVD" -- start: 2023-07-17 - end: - event: "First version of this casefile" ---- - -## Summary -Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023 (known to us as DIVD-2022-00063) where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild, the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of this new critical SSL-VPN RCE Vulnerability. -According to a blog, posted by BishopFox, there were nearly 490,000 affected SSL VPN interfaces exposed on the internet on June 30th of 2023. Roughly 69% of them were at that time unpatched. -## What you can do -Upgrade your SSL VPN instance to the latest version or apply the work-around: disable SSL VPN or only allow whitelisted IPs. - -## What we are doing -DIVD is currently scanning for vulnerable instances connected to the public internet. We would like to thank Fox-IT / NCC Group for the data on this vulnerability that we will use to notify owners of vulnerable systems. Owners of vulnerable systems will receive a notification with instructions to update their system. - -{% include timeline.html %} - -## More information -* {% cve CVE-2023-27997 %} -* [Fortinet Security Advisory](https://www.fortiguard.com/psirt/FG-IR-23-097) -* [Fortinet PSIRT Blog CVE-2023-27997](https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign) -* [Fortinet PSIRT Blog 2022-42475 ](https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd) -* [DIVD case CVE-2022-42475](https://csirt.divd.nl/csirt-divd-nl/cases/DIVD-2022-00063/) -* [Bishop Fox Blog](https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable) \ No newline at end of file +--- +layout: case +title: "Critical Fortinet SSL-VPN RCE Vulnerability" +excerpt: "A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests." +author: Boaz Braaksma +lead: Ralph Horn +status: Closed +researchers: +- Axel Boesenach +- Victor Pasman +- Lennaert Oudshoorn +- Max van der Horst +- Alwin Warringa +- Boaz Braaksma +- Ralph Horn +cves: +- CVE-2023-27997 +product: "FortiOS-6K7K, FortiProxy, and FortiOS" +versions: +- FortiOS-6K7K version 7.0.10 +- FortiOS-6K7K version 7.0.5 +- FortiOS-6K7K version 6.4.12 +- FortiOS-6K7K version 6.4.10 +- FortiOS-6K7K version 6.4.8 +- FortiOS-6K7K version 6.4.6 +- FortiOS-6K7K version 6.4.2 +- FortiOS-6K7K version 6.2.9 through 6.2.13 +- FortiOS-6K7K version 6.2.6 through 6.2.7 +- FortiOS-6K7K version 6.2.4 +- FortiOS-6K7K version 6.0.12 through 6.0.16 +- FortiOS-6K7K version 6.0.10 +- FortiProxy version 7.2.0 through 7.2.3 +- FortiProxy version 7.0.0 through 7.0.9 +- FortiProxy version 2.0.0 through 2.0.12 +- FortiProxy 1.2 all versions +- FortiProxy 1.1 all versions +- FortiOS version 7.2.0 through 7.2.4 +- FortiOS version 7.0.0 through 7.0.11 +- FortiOS version 6.4.0 through 6.4.12 +- FortiOS version 6.2.0 through 6.2.13 +- FortiOS version 6.0.0 through 6.0.16 +recommendation: "Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory." +patch_status: Fuly patched +-workaround: Disable SSL VPN or only allow whitelisted IPs +status : Closed +start: 2023-06-09 +end: 2023-09-26 +timeline: +- start: 2023-06-09 + end: + event: "Fortinet released security fixes" +- start: 2023-06-09 + end: + event: "DIVD starts tracking this vulnerability" +- start: 2023-07-13 + end: + event: "Fortinet publishes security advisory" +- start: 2023-06-12 + end: + event: "DIVD starts researching fingerprint" +- start: 2023-06-13 + end: + event: DIVD identifies vulnerable devices" +- start: 2023-07-17 + end: + event: "Fox-IT/NCC Group shares data of more vulnerable devices with DIVD" +- start: 2023-07-17 + end: + event: "First version of this casefile" +- start: 2023-08-07 + end: + event: "First Mailrun." +- start: 2023-09-26 + end: + event: "Case closed after monitoring phase." +ips:242047 +--- + +## Summary +Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023 (known to us as DIVD-2022-00063) where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild, the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of this new critical SSL-VPN RCE Vulnerability. +According to a blog, posted by BishopFox, there were nearly 490,000 affected SSL VPN interfaces exposed on the internet on June 30th of 2023. Roughly 69% of them were at that time unpatched. +## What you can do +Upgrade your SSL VPN instance to the latest version or apply the work-around: disable SSL VPN or only allow whitelisted IPs. + +## What we are doing +DIVD is currently scanning for vulnerable instances connected to the public internet. We would like to thank Fox-IT / NCC Group for the data on this vulnerability that we will use to notify owners of vulnerable systems. Owners of vulnerable systems will receive a notification with instructions to update their system. + +{% include timeline.html %} + +## More information +* {% cve CVE-2023-27997 %} +* [Fortinet Security Advisory](https://www.fortiguard.com/psirt/FG-IR-23-097) +* [Fortinet PSIRT Blog CVE-2023-27997](https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign) +* [Fortinet PSIRT Blog 2022-42475 ](https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd) +* [DIVD case CVE-2022-42475](https://csirt.divd.nl/csirt-divd-nl/cases/DIVD-2022-00063/) +* [Bishop Fox Blog](https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable) From aa8184c00b1b571afc1eee3a6470cf702beaa5cb Mon Sep 17 00:00:00 2001 From: Max <25766540+Maximand@users.noreply.github.com> Date: Tue, 26 Sep 2023 11:56:08 +0200 Subject: [PATCH 2/3] Update DIVD-2023-00029.md From 22f7779878ff387530abe2863d99005ed32b98ab Mon Sep 17 00:00:00 2001 From: Max <25766540+Maximand@users.noreply.github.com> Date: Tue, 26 Sep 2023 12:02:09 +0200 Subject: [PATCH 3/3] Update DIVD-2023-00029.md --- _cases/2023/DIVD-2023-00029.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_cases/2023/DIVD-2023-00029.md b/_cases/2023/DIVD-2023-00029.md index 5d90473b..6642f066 100644 --- a/_cases/2023/DIVD-2023-00029.md +++ b/_cases/2023/DIVD-2023-00029.md @@ -73,7 +73,7 @@ timeline: - start: 2023-09-26 end: event: "Case closed after monitoring phase." -ips:242047 +ips: 242047 --- ## Summary