Reading The Runes: Is the XORtigate vulnerability even worse than it looks?

Vulnerabilities
Written By Ian Wright

XORtigate: CVE-2023-27997

The details on the latest Fortinet VPN vulnerability (CVE-2023-27997) are fairly grim. A reliable remote code injection vulnerability in a widely deployed VPN end point raises the obvious spectre of a long drawn out series of exploits and breaches. The Internet just got a little bit more dangerous.

With an initial CVSS score of 9.2 and an (entirely justified) comment from the discoverers (LEXFO) that it should be a 10.0 this is clearly a dangerous bug. But what does this tell us about the overall security assurance of the product? There are some interesting points in LEXFO’s advisory that are worth digging into.

"The bug is easy to spot"

It is difficult to read the LEXFO advisory without the words "The bug is easy to spot" jumping off the page and poking you in the eye. This vulnerability is present in hundreds of thousands of deployments, has existed for at least five years without being discovered and yet it is "easy to spot" Really? How does that even happen?

First up: is the vulnerability really that easy to spot? Yes it is. There is really no question about this. The disclosure included a reconstructed code snippet showing the vulnerability and it really does stick out like a sore thumb. It is unlikely that any code level security review would miss this vulnerability.

The likely reason this remained undiscovered for so long is that the "encryption" (really just obfuscation) used on the data blob along with the limited data validation that is done, means that most casual attempts to manipulate the vulnerable "enc" value would not trigger a crash. To find it somebody would need to stumble on a lucky value, do some fuzzing on the interface, or reverse engineer the code.

But wait, I hear you ask: If the vulnerability was obvious from a code review, and would be found by some basic fuzzing, and both of these things are very much standard components of even a very basic secure development process. Why didn't the vendor find and fix these years ago? In fact, how did this ever get included in a shipping security product to start with?

Unfortunately these are questions that only the vendor will be able to answer. I would strongly advise any impacted users of these products to at least ask the vendor for some clarification on this.

"doubtful they ever ran a proper security assessment"

This comment from LEXFO was based on the "number and quality" of Fortinet vulnerabilities they have found in the last few years. Reliably assessing the overall security quality of a product based on the discovered vulnerabilities can be difficult. The set of vulnerabilities can be heavily influenced by the level of security attention a given product gets as well as external factors such as vulnerabilities in well known protocols or third party libraries. 

That said, the overall "shape" of a vulnerability, along with the manner in which is was resolved. Does still provide some useful insight into the likely level of security assurance provided by a product. Specific secure development activities will significantly reduce the chances of certain types of vulnerabilities being present so it is informative to use vulnerability data when evaluating the likely security assurance of a product.

In this case, the available data does seem to support LEXFO’s comments.

Implications

The big question now is how many other, similar, vulnerabilities are yet to be discovered? If, as LEXFO have suggested, this code has not been subject to a more detailed security analysis from the vendor then it is likely we will see others in the future.

Worst still, this vulnerability has just painted a big target on Fortinet VPNs by essentially advertising the possibility that this is a weak area of code. If the next vulnerability is found by a ransomware gang then we might see the same pattern as with the recent MOVEit exploit: where the first indication of a vulnerability comes from a large scale exploit.

Quis custodiet ipsos custodes?

There is one obvious take away here: never assume that a security product will be more resilient against vulnerabilities than any other product. Recent vulnerability disclosures suggest the opposite.

Given the severity of this issue, and the existing level of public detail, it is likely that this vulnerability is already being actively exploited. If you haven’t yet identified and patched any vulnerable deployments then do this as a matter of urgency (really: put that coffee down and go and install the patches right now).

If you have been impacted by this vulnerability then, as with any other high risk issue, I would recommend contacting your vendor’s support representative and asking for some clarification on how these issues came to exist and what the vendor is doing to prevent additional vulnerabilities. Firewalls and VPNs need to be trustworthy components so this type of vulnerability should not be taken lightly.

Given the recent spate of vulnerabilities in security products I would also recommend looking for opportunities to reduce your attack surface. Now would be a good time to look over your security infrastructure and make sure that any unused features, especially features like VPNs that expose significant attack surface are disabled.

A brief look at current Fortinet deployment metrics suggests that there are a lot of deployments that are a long way behind on security patches. In the past we have found cases where these devices have simply been replaced and forgotten about so it is worth making sure that you don’t have any obsolete devices that are still connected. An unused device is still just as vulnerable and could still be used to gain access to your network.

Ian Wright
Previous

What is Attack Surface Management?
Next

MOVEit Exploit: Predictable and Avoidable?