Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Close xortgiate #675

Merged
merged 3 commits into from
Sep 26, 2023
Merged

Close xortgiate #675

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
025e02e
Close xortgiate
Maximand Sep 26, 2023
aa8184c
Update DIVD-2023-00029.md
Maximand Sep 26, 2023
22f7779
Update DIVD-2023-00029.md
Maximand Sep 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
185 changes: 96 additions & 89 deletions _cases/2023/DIVD-2023-00029.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,89 +1,96 @@
---
layout: case
title: "Critical Fortinet SSL-VPN RCE Vulnerability"
excerpt: "A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests."
author: Boaz Braaksma
lead: Ralph Horn
status: Open
researchers:
- Axel Boesenach
- Victor Pasman
- Lennaert Oudshoorn
- Max van der Horst
- Alwin Warringa
- Boaz Braaksma
- Ralph Horn
cves:
- CVE-2023-27997
product: "FortiOS-6K7K, FortiProxy, and FortiOS"
versions:
- FortiOS-6K7K version 7.0.10
- FortiOS-6K7K version 7.0.5
- FortiOS-6K7K version 6.4.12
- FortiOS-6K7K version 6.4.10
- FortiOS-6K7K version 6.4.8
- FortiOS-6K7K version 6.4.6
- FortiOS-6K7K version 6.4.2
- FortiOS-6K7K version 6.2.9 through 6.2.13
- FortiOS-6K7K version 6.2.6 through 6.2.7
- FortiOS-6K7K version 6.2.4
- FortiOS-6K7K version 6.0.12 through 6.0.16
- FortiOS-6K7K version 6.0.10
- FortiProxy version 7.2.0 through 7.2.3
- FortiProxy version 7.0.0 through 7.0.9
- FortiProxy version 2.0.0 through 2.0.12
- FortiProxy 1.2 all versions
- FortiProxy 1.1 all versions
- FortiOS version 7.2.0 through 7.2.4
- FortiOS version 7.0.0 through 7.0.11
- FortiOS version 6.4.0 through 6.4.12
- FortiOS version 6.2.0 through 6.2.13
- FortiOS version 6.0.0 through 6.0.16
recommendation: "Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory."
patch_status: Fuly patched
-workaround: Disable SSL VPN or only allow whitelisted IPs
status : Open
start: 2023-06-09
end:
timeline:
- start: 2023-06-09
end:
event: "Fortinet released security fixes"
- start: 2023-06-09
end:
event: "DIVD starts tracking this vulnerability"
- start: 2023-07-13
end:
event: "Fortinet publishes security advisory"
- start: 2023-06-12
end:
event: "DIVD starts researching fingerprint"
- start: 2023-06-13
end:
event: DIVD identifies vulnerable devices"
- start: 2023-07-17
end:
event: "Fox-IT/NCC Group shares data of more vulnerable devices with DIVD"
- start: 2023-07-17
end:
event: "First version of this casefile"
---

## Summary
Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023 (known to us as DIVD-2022-00063) where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild, the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of this new critical SSL-VPN RCE Vulnerability.
According to a blog, posted by BishopFox, there were nearly 490,000 affected SSL VPN interfaces exposed on the internet on June 30th of 2023. Roughly 69% of them were at that time unpatched.
## What you can do
Upgrade your SSL VPN instance to the latest version or apply the work-around: disable SSL VPN or only allow whitelisted IPs.

## What we are doing
DIVD is currently scanning for vulnerable instances connected to the public internet. We would like to thank Fox-IT / NCC Group for the data on this vulnerability that we will use to notify owners of vulnerable systems. Owners of vulnerable systems will receive a notification with instructions to update their system.

{% include timeline.html %}

## More information
* {% cve CVE-2023-27997 %}
* [Fortinet Security Advisory](https://www.fortiguard.com/psirt/FG-IR-23-097)
* [Fortinet PSIRT Blog CVE-2023-27997](https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign)
* [Fortinet PSIRT Blog 2022-42475 ](https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd)
* [DIVD case CVE-2022-42475](https://csirt.divd.nl/csirt-divd-nl/cases/DIVD-2022-00063/)
* [Bishop Fox Blog](https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable)
---
layout: case
title: "Critical Fortinet SSL-VPN RCE Vulnerability"
excerpt: "A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests."
author: Boaz Braaksma
lead: Ralph Horn
status: Closed
researchers:
- Axel Boesenach
- Victor Pasman
- Lennaert Oudshoorn
- Max van der Horst
- Alwin Warringa
- Boaz Braaksma
- Ralph Horn
cves:
- CVE-2023-27997
product: "FortiOS-6K7K, FortiProxy, and FortiOS"
versions:
- FortiOS-6K7K version 7.0.10
- FortiOS-6K7K version 7.0.5
- FortiOS-6K7K version 6.4.12
- FortiOS-6K7K version 6.4.10
- FortiOS-6K7K version 6.4.8
- FortiOS-6K7K version 6.4.6
- FortiOS-6K7K version 6.4.2
- FortiOS-6K7K version 6.2.9 through 6.2.13
- FortiOS-6K7K version 6.2.6 through 6.2.7
- FortiOS-6K7K version 6.2.4
- FortiOS-6K7K version 6.0.12 through 6.0.16
- FortiOS-6K7K version 6.0.10
- FortiProxy version 7.2.0 through 7.2.3
- FortiProxy version 7.0.0 through 7.0.9
- FortiProxy version 2.0.0 through 2.0.12
- FortiProxy 1.2 all versions
- FortiProxy 1.1 all versions
- FortiOS version 7.2.0 through 7.2.4
- FortiOS version 7.0.0 through 7.0.11
- FortiOS version 6.4.0 through 6.4.12
- FortiOS version 6.2.0 through 6.2.13
- FortiOS version 6.0.0 through 6.0.16
recommendation: "Upgrade your affected installations to one of the fixed versions listed by Fortinet in their Security Advisory."
patch_status: Fuly patched
-workaround: Disable SSL VPN or only allow whitelisted IPs
status : Closed
start: 2023-06-09
end: 2023-09-26
timeline:
- start: 2023-06-09
end:
event: "Fortinet released security fixes"
- start: 2023-06-09
end:
event: "DIVD starts tracking this vulnerability"
- start: 2023-07-13
end:
event: "Fortinet publishes security advisory"
- start: 2023-06-12
end:
event: "DIVD starts researching fingerprint"
- start: 2023-06-13
end:
event: DIVD identifies vulnerable devices"
- start: 2023-07-17
end:
event: "Fox-IT/NCC Group shares data of more vulnerable devices with DIVD"
- start: 2023-07-17
end:
event: "First version of this casefile"
- start: 2023-08-07
end:
event: "First Mailrun."
- start: 2023-09-26
end:
event: "Case closed after monitoring phase."
ips: 242047
---

## Summary
Following previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023 (known to us as DIVD-2022-00063) where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild, the Fortinet Product Security Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of this new critical SSL-VPN RCE Vulnerability.
According to a blog, posted by BishopFox, there were nearly 490,000 affected SSL VPN interfaces exposed on the internet on June 30th of 2023. Roughly 69% of them were at that time unpatched.
## What you can do
Upgrade your SSL VPN instance to the latest version or apply the work-around: disable SSL VPN or only allow whitelisted IPs.

## What we are doing
DIVD is currently scanning for vulnerable instances connected to the public internet. We would like to thank Fox-IT / NCC Group for the data on this vulnerability that we will use to notify owners of vulnerable systems. Owners of vulnerable systems will receive a notification with instructions to update their system.

{% include timeline.html %}

## More information
* {% cve CVE-2023-27997 %}
* [Fortinet Security Advisory](https://www.fortiguard.com/psirt/FG-IR-23-097)
* [Fortinet PSIRT Blog CVE-2023-27997](https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign)
* [Fortinet PSIRT Blog 2022-42475 ](https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd)
* [DIVD case CVE-2022-42475](https://csirt.divd.nl/csirt-divd-nl/cases/DIVD-2022-00063/)
* [Bishop Fox Blog](https://bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable)