336,000 servers remain unpatched against critical Fortigate vulnerability

News Summary

  • Bishop Fox said that some of the vulnerable machines appeared to be running Fortigate software that hadn’t been updated since 2015.“Wow—looks like there’s a handful of devices running 8-year-old FortiOS on the Internet,” Caleb Gross, director of capability development at Bishop Fox, wrote in Friday’s post.
  • “I wouldn’t touch those with a 10-foot pole.”Gross reported that Bishop Fox has developed an exploit to test customer devices.The screen capture above shows the proof-of-concept exploit corrupting the heap, a protected area of computer memory that’s reserved for running applications.
  • Fortinet released updates silently patching the flaw on June 8 and disclosed it four days later in an advisory that said it may have been exploited in targeted attacks.
  • The corruption injects malicious code that connects to an attacker-controlled server, downloads the BusyBox utility for Unix-like operating systems, and opens an interactive shell that allows commands to be remotely issued by the vulnerable machine.
  • The speed is an improvement over a PoC Lexfo released on June 13.So far, there are few details about the active exploits of CVE-2023-27997 that Fortinet said may be underway.
  • Volt Typhoon, the tracking name for a Chinese-speaking threat group, has actively exploited CVE-2023-40684, a separate Fortigate vulnerability of similar high severity.
6 with Researchers say that nearly 336,000 devices exposed to the Internet remain vulnerable to a critical vulnerability in firewalls sold by Fortinet because admins have yet to install patches the [+3896 chars]