Detect FortiOS & FortiProxy - Heap buffer overflow in sslvpn pre-authentication

serpaldom commented 1 year ago

Description of the Idea of the Rule

Based on the vulnerability analysis reports for CVE-2023-27997 (CWE-122) , I would like to propose a detection rule for HTTP requests made to endpoints affected by the vulnerability, which could be a possible indication of being under attack.

Public References

Proposed rule

title: (XORtigate) Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997)
id: xoritgate-preauth-rce
status: experimental
description: A heap-based buffer overflow vulnerability (CWE-122) in FortiOS and FortiProxy SSL-VPN allows a remote attacker to execute arbitrary code or commands via specifically crafted requests. The bug is located on the web interface that allows users to authenticate to the VPN. This interface is, by design, internet-facing. If the path /remote/hostcheck_validate is accessed and an HTTP parameter named "enc" is sent through GET or POST, it may trigger the vulnerability.
author: Sergio Palacios Dominguez
date: 2023/06/18
references:
  - https://blog.lexfo.fr/Forensics-xortigate-notice.html
  - https://blog.lexfo.fr/xortigate-cve-2023-27997.html
  - https://www.fortiguard.com/psirt/FG-IR-23-097

logsource:
  category: network
  product: FortiOS, FortiProxy
detection:
  selection:
    url.path|contains:
        - '/remote/hostcheck_validate'
        - '/remote/logincheck'
    http.method: 
        - 'GET'
        - 'POST'
  condition: selection
falsepositives:
    - 'unknow'
level: critical
tags:
  - buffer overflow
  - rce
  - fortinet
  - cve-2023-27997
affected_products:
  - FortiOS-6K7K version 7.0.10
  - FortiOS-6K7K version 7.0.5
  - FortiOS-6K7K version 6.4.12
  - FortiOS-6K7K version 6.4.10
  - FortiOS-6K7K version 6.4.8
  - FortiOS-6K7K version 6.4.6
  - FortiOS-6K7K version 6.4.2
  - FortiOS-6K7K version 6.2.9 through 6.2.13
  - FortiOS-6K7K version 6.2.6 through 6.2.7
  - FortiOS-6K7K version 6.2.4
  - FortiOS-6K7K version 6.0.12 through 6.0.16
  - FortiOS-6K7K version 6.0.10
  - FortiProxy version 7.2.0 through 7.2.3
  - FortiProxy version 7.0.0 through 7.0.9
  - FortiProxy version 2.0.0 through 2.0.12
  - FortiProxy 1.2 all versions
  - FortiProxy 1.1 all versions
  - FortiOS version 7.2.0 through 7.2.4
  - FortiOS version 7.0.0 through 7.0.11
  - FortiOS version 6.4.0 through 6.4.12
  - FortiOS version 6.2.0 through 6.2.13
  - FortiOS version 6.0.0 through 6.0.16

nasbench commented 1 year ago

Hi and thanks for your contribution.

Will look into this a bit more and report back.

Regards.

nasbench commented 1 year ago

I've checked the posts and improved the rule a little bit by including the vuln parameter and fixed the fields. Such rule would be best described in correlation as the attack requires multiple requests to those endpoint. I will push the rule later in a PR

title: Potential CVE-2023-27997 Exploitation Indicators
id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550
status: experimental
description: |
    Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
    To avoid false positives it's best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
references:
    - https://blog.lexfo.fr/Forensics-xortigate-notice.html
    - https://blog.lexfo.fr/xortigate-cve-2023-27997.html
    - https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/
    - https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems)
date: 2023/07/28
tags:
    - cve.2023.27997
logsource:
    category: webserver
detection:
    selection_uri:
        cs-method:
            - 'GET'
            - 'POST'
        cs-uri-query|contains:
            - '/remote/hostcheck_validate'
            - '/remote/logincheck'
    selection_keywords:
        - 'enc='
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

SigmaHQ / sigma