Most Fortigate devices still open to attack in the Adriatics
Unpatched Fortinet devices made news last week, as it's apparent massive amount of vulnerable devices are still lying exposed on the internet, even a month after an urgent patch has been published by the vendor (June 8th).
The vulnerability, tracked as CVE-2023-27997, affects several FortiOS versions and various devices (mostly Fortigate firewalls). It's a remote code execution (RCE) flaw that does not require the attacker to be logged in to exploit it. A FortiOS device sitting unpatched on the internet with its web server providing SSL VPN functionality, can allow anybody to execute arbitrary code: spawn remote shells, run new processes or scheduled tasks, upload new files or replace existing ones, etc. As the exploit is widely known and publicly available, it can be easily scripted and deployed within seconds on a massive scale.
And yet, the response is slow, offering threat actors plenty of opportunities to weaponize this bug and penetrate into organizations, potentially deploying ransomware.
What about the Adriatics region?
We set out to explore how the patching progress looks like in the Adriatics region, consisting of the following countries: Albania, Bosnia and Herzegovina, Croatia, Kosovo, Montenegro, North Macedonia, Serbia and Slovenia.
Using Shodan, a search engine for Internet-connected devices, one can query devices in these countries and get a somewhat accurate picture on which ones are patched and which are still exposed to exploitation.
Here's the situation as of July 11th:
Currently Shodan suggests neglect is rampant: there are 2660 publicly exposed FortiOS devices in the region; 1150 (43,2%) appear to be patched and the remaining 1510 still vulnerable (56,8%).
What does this tell us? Several lessons:
Most Fortinet SSL VPN devices are still waiting for anybody to exploit them and deploy malware. Many are probably compromised already.
This suggests IT services, especially managed security services are still underdeveloped, but sorely needed.
Vulnerabilities are increasingly disclosed after the exploit is already out there. Examples are recent vulnerabilities involving Exchange servers, MOVEit file transfer software, and of course this one. In such cases vendors will typically secure and protect their SaaS offerings first (compare Microsoft365 Exchange patching vs Exchange on-prem patch releases).
The patches distributed to users need time to be deployed, and crucially the vendor is not on the hook for not installing them - the responsibility lays entirely on the customer. This is a key difference to understand: with SaaS, the incentive to patch is heavily centered on the vendor, as their business survival will be jeopardized.
Therefore, to reduce risk organizations should not use firewalls without a clear service mandate around it. This means an MSSP offering using fully managed SaaS where the vendor is responsible for service continuity and infrastructure. Such offerings, centered around the SASE architecture, do not expose edge devices to the internet, reducing management overhead and attack surface.
Finally, it would be wrong to conclude this is Fortinet's blame. Fortinet is just the victim of its own success - probably the most widely deployed firewall in the region. Much like Microsoft, it gets the most attention from security researchers and threat actors alike: as a result, vulnerabilities are to be expected. It's the customers and IT providers that need to adapt and increasingly consume IT as a service.
The technical details
How to explore the internet landscape yourself and derive further insights? If you have a Shodan member account or paid plan, you should be able to query internet facing devices via Shodan's API.
To find potentially patched FortiOS devices, the following indicators can be used in the search query:
HTTP response header "Server: xxxxxxxx-xxxxx"
HTTP response header "Last-Modified:" somewhere in May and June (these can be assumed as patched)
HTML returned from server and pointing to SSL VPN portal "/remote/login"
country codes can be added to restrict geography
Stitching everything together, a resulting Shodan CLI query for this region might look as follows:
shodan count "Server: xxxxxxxx-xxxxx" country:SI,HR,BA,RS,ME,MK,AL,XK http.html:"top.location=/remote/login" "Last-Modified: Tue, 06 Jun 2023"
Notice the "Last-Modified" header has to be specified literally, so code is needed to loop through all days within May and June to get the total of patched devices (and infer the unpatched ones, by removing "Last-Modified" from the query to get the total). Rough Python code to do this is here.