Fortinet FortiOS Critical Heap-Based Buffer Overflow Vulnerability (CVE-2023-27997)

Fortinet has addressed a heap-based buffer overflow vulnerability in its network operating system, FortiOS. CVE-2023-27997 has been given a critical severity with a CVSS score of 9.2. Charles Fol and Dany Bach from LEXFO have discovered and reported the vulnerability to Fortinet. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code by using specifically crafted requests.

FortiOS is considered the brain of Fortinet Security Fabric. The Security Fabric’s operating system, or software, connects all its parts and ensures tight integration throughout the deployment of the Security Fabric across an enterprise.

CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and asked users to patch it before 4th July 2023.

Vulnerability Details

CVE-2023-27997 is a heap-based buffer overflow vulnerability that requires no authentication for exploitation. The vulnerability exists on the internet-facing interface of the FortiGate SSL VPN.

Exploitation Analysis

The vulnerability resides on the internet-facing web interface that allows users to authenticate the VPN. Using the path /remote/hostcheck_validate, an attacker can send an HTTP parameter named enc through a GET or POST request. enc is a lesser-used parameter that FortiGate uses to forward HTTP parameters across requests. 

 

The enc parameter contains a seed, a size, and the data, in which size and data are encrypted. The seed is stored as eight hexadecimal characters used to compute the first state of an XOR keystream. The keystream is sent as a hexadecimal string. For the decryption, the keystream can be XORed to the rest of the enc payload, the size, and the ciphertext.

In the decryption function, the bounds verification step compares in_len – 5 with out[4] ^ md5[0]. The purpose of this check is to ensure that the decrypted length of the data (given_len) is within the expected bounds.

However, there is a potential issue with the bounds verification logic:

if (in_len – 5 <= out[4] ^ md5[0])

The above code checks if the decrypted length (given_len) is less than or equal to the value at index 4 of the out buffer, XORed with the first byte of the md5 array. 

The issue is that the comparison is only done with the lower byte of out[4] (since out[4] ^ md5[0] is a single byte value), while in_len – 5 represents the actual size of the payload.

An attacker may exploit this vulnerability by issuing GET/POST requests to any of the two URLs:

  • /remote/hostcheck_validate
  • /remote/logincheck

For simple exploits, several HTTP requests must be sent in quick succession to any of these URLs.

Affected Products and Versions

  • FortiOS-6K7K version 7.0.10
  • FortiOS-6K7K version 7.0.5
  • FortiOS-6K7K version 6.4.12
  • FortiOS-6K7K version 6.4.10
  • FortiOS-6K7K version 6.4.8
  • FortiOS-6K7K version 6.4.6
  • FortiOS-6K7K version 6.4.2
  • FortiOS-6K7K version 6.2.9 through 6.2.13
  • FortiOS-6K7K version 6.2.6 through 6.2.7
  • FortiOS-6K7K version 6.2.4
  • FortiOS-6K7K version 6.0.12 through 6.0.16
  • FortiOS-6K7K version 6.0.10
  • FortiProxy version 7.2.0 through 7.2.3
  • FortiProxy version 7.0.0 through 7.0.9
  • FortiProxy version 2.0.0 through 2.0.12
  • FortiProxy 1.2, all versions
  • FortiProxy 1.1, all versions
  • FortiOS version 7.2.0 through 7.2.4
  • FortiOS version 7.0.0 through 7.0.11
  • FortiOS version 6.4.0 through 6.4.12
  • FortiOS version 6.2.0 through 6.2.13
  • FortiOS version 6.0.0 through 6.0.16

Mitigation

Customers are recommended to upgrade to the following versions:

  • FortiOS-6K7K version 7.0.12 or above
  • FortiOS-6K7K version 6.4.13 or above
  • FortiOS-6K7K version 6.2.15 or above
  • FortiOS-6K7K version 6.0.17 or above
  • FortiProxy version 7.2.4 or above
  • FortiProxy version 7.0.10 or above
  • FortiOS version 7.4.0 or above
  • FortiOS version 7.2.5 or above
  • FortiOS version 7.0.12 or above
  • FortiOS version 6.4.13 or above
  • FortiOS version 6.2.14 or above
  • FortiOS version 6.0.17 or above

Please refer to the Fortinet PSIRT Advisory (FG-IR-23-097) for more information.

Workaround

Disable SSL-VPN.

Qualys Detection

Qualys customers can scan their devices with QID 44059 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://www.fortiguard.com/psirt/FG-IR-23-097
https://blog.lexfo.fr/xortigate-cve-2023-27997.html

Leave a Reply

Your email address will not be published. Required fields are marked *