Potential CVE-2023-27997 Exploitation Indicators

 1title: Potential CVE-2023-27997 Exploitation Indicators
 2id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550
 3status: experimental
 4description: |
 5    Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
 6    To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter    
 7references:
 8    - https://blog.lexfo.fr/Forensics-xortigate-notice.html
 9    - https://blog.lexfo.fr/xortigate-cve-2023-27997.html
10    - https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/
11    - https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
12author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems)
13date: 2023/07/28
14tags:
15    - cve.2023.27997
16    - attack.initial_access
17    - attack.t1190
18logsource:
19    category: webserver
20detection:
21    selection_uri:
22        cs-method:
23            - 'GET'
24            - 'POST'
25        cs-uri-query|contains:
26            - '/remote/hostcheck_validate'
27            - '/remote/logincheck'
28    selection_keywords:
29        - 'enc='
30    condition: all of selection_*
31falsepositives:
32    - Unknown
33level: medium

References

• Lexfo's security blog - CVE-2023-27997 - Forensics short notice for XORtigate

  

  Context Following the release of the CVE-2023-27997 on our blog and its section "A few notes for blue teamers", here are some Forensics tips and the traces left by a successful execution of an expl...

  
  Read More

• Lexfo's security blog - XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997)

  

  XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997) During a redteam assessment for one of our client, we had the opportunity to look into Fortigate SSL VPN, one o...

  
  Read More

• CVE-2023-27997 – Pre-Authentication RCE on FortiGate SSL-VPN

  

  Written by Harish Segar and Scott Emerson of the Kudelski Security Threat Detection & Research Team June 13th, update 2: Technical details of bug and exploitation disclosed at Summary On Friday…

  
  Read More

• Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was

  

  When Lexfo Security teased a critical pre-authentication RCE bug in FortiGate devices on Saturday 10th, many people speculated on the practical impact of the bug. Would this be a true, sky-is-falling level vulnerability like the recent CVE-2022-42475? Or was it some edge-case hole, requiring some unusual and exotic requisite before

  
  Read More

Related rules

• ADSelfService Exploitation
• Apache Threading Error
• JNDIExploit Pattern
• Java Payload Strings
• Potential Exploitation Attempt Of Undocumented WindowsServer RCE