Fortinet follows Cisco in confirming Shadow Broker vuln

Versions after August 2012 are in the clear


Whatever the source and whoever the backers, evidence is mounting that the Shadow Brokers vuln-dump is real: Fortinet has followed Cisco in confirming its place on the list.

Cisco's confirmation said the EPICBANANA and EXTRABACON vulns listed in the drop were real. It had fixed one in 2011, and the other, a new SNMP bug, is on the to-do list with Snort rules providing temporary protection.

Fortinet's advisory has now landed, adding yet more credence to the dump.

Fortinet's vulnerability only exists in pre-August 2012 versions of its FortiGate firmware. Versions 4.3.8 and below; 4.2.12 and below; and 4.1.10 and below are affected by the cookie parser buffer overflow. Versions 5.x are not affected.

“This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over”, the advisory says. If a product can support 5.x firmware, that should be installed; if not, version 4.3.9 or above also fixes it.

Kasperky Lab had already confirmed to El Reg that the archive seemed genuine, but old – it was apparently collected some time in 2013.

That puts the collection of the archive before the White House's 2014 statement that it would quit hoarding vulns unless the NSA could convince it they were vital for intelligence-gathering.

Although the Electronic Frontier Foundation sued the agency in 2014 in the belief it was still keeping zero-days to itself, earlier this month, Columbia University researcher Jason Healey claimed the total number in the hoard these days is around 50. ®

Similar topics


Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading

Biting the hand that feeds IT © 1998–2022