The dumpster fire that is Fortinet

OVERKILL

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
61,122
Location
Ontario, Canada
As a follow-up to my "Fortinet gets owned... again" thread:
OVERKILL

Thread 'Fortinet gets owned... again'

https://www.bleepingcomputer.com/ne...s-infect-dutch-military-network-with-malware/

A Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices, according to the Military Intelligence and Security Service (MIVD) of the Netherlands.

However, despite backdooring the hacked systems, the damage from the breach was limited due to network segmentation.

"The effects of the intrusion were limited because the victim network was segmented from the wider MOD networks," said MIVD and the General...
Click to expand...
  • Like
  • Wow

Fortinet gets owned AGAIN. And AGAIN!

Thanks to @Rand for being more on top of what's going on at Fortinet than I am, as he sent me these recently:

https://www.theregister.com/2024/11/14/fortinet_vpn_authentication_bypass_bug/

A now-patched, high-severity bug in Fortinet's FortiClient VPN application potentially allows a low-privilege rogue user or malware on a vulnerable Windows system to gain higher privileges from another user, execute code and possibly take over the box, and delete log files.


The bug is tracked as CVE-2024-47574, and it earned a 7.8 out of 10 CVSS severity rating. It affects FortiClientWindows version 7.4.0, 7.2.4 through 7.2.0, 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0. Fortinet patched the hole on Tuesday, so if you haven't already, upgrade to a fixed release.


Pentera Labs' bug hunter Nir Chako found and reported the flaw to Fortinet, plus a second security oversight that allows someone or something nefarious on a system running the VPN client to alter SYSTEM-level registry keys that would otherwise be off limits.
Click to expand...

https://www.bleepingcomputer.com/ne...gn-flaw-hides-successful-brute-force-attacks/

A design flaw in the Fortinet VPN server's logging mechanism can be leveraged to conceal the successful verification of credentials during a brute-force attack without tipping off defenders of compromised logins.

Although the brute-force attack is still visible, a new technique allows logging only failed attempts and not successful ones, generating a false sense of security.

The FortiClient VPN server stores login activity using a two-step process that consists of an authentication and an authorization stage.

Researchers at Pentera, a company providing automated security validation solutions, discovered that a successful login is recorded only if the process passes both the authentication and the authorization steps; otherwise, FortiClient VPN will log a failed authentication.

“[…] the failed ones are logged in the authentication phase but the successful ones are logged in the authorization phase, so yes, a full login with either a script or a VPN client would create a log,” Pentera security researcher Peter Viernik told BleepingComputer.

In a report today, the cybersecurity company describes how its researchers devised a method to stop the full login process after the authentication stage, allowing them to validateVPN credentials without logging the success.
Click to expand...


https://www.bleepingcomputer.com/ne...t-fortinet-vpn-zero-day-to-steal-credentials/

Chinese threat actors use a custom post-exploitation toolkit named 'DeepData' to exploit a zero-day vulnerability in Fortinet's FortiClient Windows VPN client that steal credentials. The zero-day allows the threat actors to dump the credentials from memory after the user authenticated with the VPN device. Volexity researchers report that they discovered this flaw earlier this summer and reported it to Fortinet, but the issue remains unfixed, and no CVE has been assigned to it.

"Volexity reported this vulnerability to Fortinet on July 18, 2024, and Fortinet acknowledged the issue on July 24, 2024," explains the report.

"At the time of writing, this issue remains unresolved and Volexity is not aware of an assigned CVE number."
Click to expand...

Another article on the same issue:

https://www.securityweek.com/fortin...-in-malware-attacks-remains-unpatched-report/
The recently detailed DeepData malware framework was caught exploiting a zero-day vulnerability in the Fortinet VPN client for Windows to steal credentials, cybersecurity firm Volexity reports.

DeepData is a surveillance framework that relies on multiple plugins to target sensitive information stored in browsers, communication applications, and password managers, and which can record audio using the system’s microphone.

According to BlackBerry, both DeepData and the LightSpy iOS malware have been used by China-lined advanced persistent threat (APT) actor APT41 to spy on journalists, politicians, and political activists in Southeast Asia.

On Friday, Volexity revealed that DeepData was seen targeting Fortinet’s Windows VPN client to extract usernames, passwords, and other information from the process’ memory, by exploiting a zero-day vulnerability.

The bug, reported to Fortinet in July, when it was confirmed to be affecting the latest iteration of Fortinet’s VPN available at the time, does not have a CVE identifier and appears to have remained unpatched, the cybersecurity firm says.
Click to expand...


🤡
 
If I'm understanding these grave security issues have been well known since February and are still unresolved as of today? That sounds almost too insane to believe. The incompetence surely can't be this massive. But it is 2024 where tech workplaces are becoming less and less competent.
 
JavierH19 said:
If I'm understanding these grave security issues have been well known since February and are still unresolved as of today? That sounds almost too insane to believe. The incompetence surely can't be this massive. But it is 2024 where tech workplaces are becoming less and less competent.
Click to expand...
A large chunk of them are unresolved (the first one has been resolved). It's insane, but then, it's also Fortinet, there's a reason this meme exists, lol:

AE833349-0C05-407F-A530-75474F344107_1_105_c.webp
 
It looks like the big firewall companies are in for their money. Palo Alto just released an update for a few CVEs they thought were previously patched.
 
Resurrecting this one for yet another exciting Fortinet disaster!
https://dataconomy.com/2024/12/20/fortinet-urges-immediate-action-critical-rce-flaw-exposes-systems/

Thanks again to @Rand who I think must have "Fortinet" as a keyword in his notifications, lol

The identified bug, CVE-2023-34990, has a CVSS score of 9.6 and was first disclosed in March 2023. It is categorized as an “unauthenticated limited file read vulnerability.” Zach Hanley, a security researcher from Horizon3.ai, reported that the vulnerability stems from inadequate input validation on request parameters. This flaw allows attackers to traverse directories and access any log file on the system, potentially revealing sensitive information such as user session IDs. These logs are notably verbose in FortiWLM, increasing the risk when exploited.


The National Vulnerability Database (NVD) describes how this vulnerability can lead to executing unauthorized code via specially crafted web requests. The affected FortiWLM versions include 8.6.0 to 8.6.5, which have been addressed in 8.6.6 and above, and 8.5.0 to 8.5.4, fixed in version 8.5.5 or above. Given Fortinet’s prominence as a target for cyberattacks, the imperative for rapid patching cannot be overstated.

🤡 🤡 🤡
 
I block fortinet IP's on my work router so they don't hit my mail and web servers. All I've ever seen from fortinet IP's are the typical wordpress login probes and other junk like that.
 
SumGuy said:
I block fortinet IP's on my work router so they don't hit my mail and web servers. All I've ever seen from fortinet IP's are the typical wordpress login probes and other junk like that.
Click to expand...
Years back I was doing a gateway changeover for a Mercedes dealer, this was back when all the networking was centrally managed by a Mercedes sub contractor, but they didn't do onsite support. Was removing a single Juniper piece of equipment. Well, when I got onsite and saw what I was swapping in (two Fortinet units) I was on the phone with the vendor and asking what the heck was the reasoning here, and he replied that a pair (semi-HA) of Fortinet units was cheaper than a single Juniper SSG by a considerable margin. The move was being done as a cost saving measure, nothing else.

Interestingly, that whole system was abandoned somewhat recently and these Fortinet units became effectively abandonware, with no vendor looking after them anymore. I've since swapped them out for Cisco, lol.
 
OVERKILL said:
Years back I was doing a gateway changeover for a Mercedes dealer, this was back when all the networking was centrally managed by a Mercedes sub contractor, but they didn't do onsite support. Was removing a single Juniper piece of equipment. Well, when I got onsite and saw what I was swapping in (two Fortinet units) I was on the phone with the vendor and asking what the heck was the reasoning here, and he replied that a pair (semi-HA) of Fortinet units was cheaper than a single Juniper SSG by a considerable margin. The move was being done as a cost saving measure, nothing else.

Interestingly, that whole system was abandoned somewhat recently and these Fortinet units became effectively abandonware, with no vendor looking after them anymore. I've since swapped them out for Cisco, lol.
Click to expand...
I replaced four Palo 5060s with Fortinet FortiGate 1800Fs for cost savings at a prior employer. Not my idea. Saved a half million dollars over 3 years versus buying Palo 5200 series to replace the 5060s.

Palo is of course, extremely proud of their ish, and they have been for a while. But they are not without their own problems. We spent something insane (I think $3M) for a pair of 5450s to replace 5260s, because even though they weren't anywhere close to the bandwidth limits, we were hitting the session limits because we are defending a lot of IP space. Da fuq? I gotta replace a 1 million dollar firewall pair with a 3 million dollar pair of firewalls because we don't use very much NAT? I'd hate to see one of these things with an EMEA customer using real IPv6 space, they'd have a meltdown.

Also, you still can't negate source and destinations in Palo, I.e. if this traffic is not from the US, then do XYZ with it. I mean Cisco had this feature 30 years ago. But anyway. I've fallen out of love with Palo, but, what else is there that's any good? I have not suffered a breach using Palo gear, I can at least say that much for it.

Ah yes we were talking about Fortinet. From a firewall admin perspective Fortigates aren't bad, the UI is pretty easy to work with both in the Web GUI and CLI. I'd take them over an old ASA any day from an ease of use perspective. But the software vulnerabilities make them unacceptable for use in any serious enterprise.

I got a call last year from the local Fortinet vendor rep, he had moved on to another job in a different company. Maybe saw the writing on the wall. Me and him were pretty tight for a while, we spent a lot of money with them a few years back at my prior employer. When I moved on in 2022 to a Palo shop he quit calling so much.

It's hard to believe FortiGate was in the Gartner Leaders Quadrant for Enterprise Firewalls in 2020. They have fallen hard since then.
 
You must log in or register to reply here.

Similar threads

Rand
Sonicwall Vunerablility exposed and currently being exploited.
Replies
9
Views
412
OVERKILL
OVERKILL
Fortinet gets owned... again
Replies
8
Views
1K
mk378
OVERKILL
Remote code execution vulnerability in Windows WiFi driver CVE-2024-30078
Replies
7
Views
4K
redhat
OVERKILL
Palo Alto firewall backdoor being exploited in the wild
Replies
2
Views
221
OVERKILL
OVERKILL
Ivanti VPN appliance breach hits critical mass
Replies
5
Views
999
PandaBear
Back
Top Bottom