Potential CVE-2023-27997 Exploitation Indicators
Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
Sigma rule (View on GitHub)
1title: Potential CVE-2023-27997 Exploitation Indicators
2id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550
3status: test
4description: |
5 Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
6 To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
7references:
8 - https://blog.lexfo.fr/Forensics-xortigate-notice.html
9 - https://blog.lexfo.fr/xortigate-cve-2023-27997.html
10 - https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/
11 - https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
12author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems)
13date: 2023-07-28
14tags:
15 - attack.initial-access
16 - attack.t1190
17 - cve.2023-27997
18 - detection.emerging-threats
19logsource:
20 category: webserver
21detection:
22 selection_uri:
23 cs-method:
24 - 'GET'
25 - 'POST'
26 cs-uri-query|contains:
27 - '/remote/hostcheck_validate'
28 - '/remote/logincheck'
29 selection_keywords:
30 - 'enc='
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: medium
References
-
Context Following the release of the CVE-2023-27997 on our blog and its section "A few notes for blue teamers", here are some Forensics tips and the traces left by a successful execution of an expl...
Read More -
<p>A pre-authentication remote code execution on Fortigate SSL VPN was discovered by Lexfo (CVE-2023-27997).</p>
Read More -
Written by Harish Segar and Scott Emerson of the Kudelski Security Threat Detection & Research Team June 13th, update 2: Technical details of bug and exploitation disclosed at Summary On Friday…
Read More -
When Lexfo Security teased a critical pre-authentication RCE bug in FortiGate devices on Saturday 10th, many people speculated on the practical impact of the bug. Would this be a true, sky-is-falling level vulnerability like the recent CVE-2022-42475? Or was it some edge-case hole, requiring some unusual and exotic requisite before
Read More
Related rules
- CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)