330K FortiGate firewalls are unpatched and open to RCE attacks

More than 330,000 FortiGate firewall appliances are still vulnerable to a remote code execution (RCE) attack three weeks after the vendor Fortinet issued a critical fix for the flaw on June 12.

In a Friday post, BishopFox researchers reported that the network scanning tool Shodan found that 69% of the 490,000 SSL-VPN interfaces accessible via the public internet were unpatched and vulnerable to attack.

The flaw CVE-2023-27997, found by researchers Charles Fol and Dany Bach at security firm Lexfo, is a heap overflow class bug impacting the company's FortiOS and FortiProxy Secure Sockets Layer Virtual Private Network (SSL VPN). A SSL VPN is defined by F5 Networks as a "virtual private network created using the Secure Sockets Layer protocol to create a secure and encrypted connection over a less-secure network, such as the internet."

A remote attacker can exploit the flaw via a crafted request. NIST rates the critical flaw with CVSS severity score of 9.8 out of 10.

Fortinet has been working to address the firewall issue for several weeks. On June 12, SC Media reported that Fortinet released patches for the FortiOS firmware for the following versions: 7.0.12, 7.2.5, 6.4.13 and 6.2.15. On June 11, Lexfo security researcher Fol published a tweet disclosing the flaw, promising that Fortinet would soon publish a patch for CVE-2023-27997.

FortiGate bugs roil users

In recent years, there have been a number of high-profile FortiGate vulnerabilities, including this critical RCE bug that was patched in June 2023, said Andre van der Walt, director of threat intelligence at Ontinue. He added that the percentage of unpatched systems mirrors the overall trend where patching lags behind new exposures.

Andrew Barratt, vice president at Coalfire, added that it's vital that vendors of security appliances to find security patching techniques for critical appliances that have near zero downtime so admin are less likely to balk at rolling out patches.