Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim
An orchestra of fails for the security vendor
We've had to write the word "Fortinet" so often lately that we're considering making a macro just to make our lives a little easier after what the company's reps will surely agree has been a week sent from hell.
It all culminated this Friday with the disclosure of yet another critical security vulnerability in FortiOS, impacting its SSL VPN.
Tracked as CVE-24-21762, the 9.6 severity out-of-bounds write issue allows for remote unauthenticated attackers to achieve code execution. There's also evidence to suggest it's already been exploited as a zero-day.
Security researchers have urged users to patch vulnerable VPNs as soon as possible since the vulnerability is understood to be easily exploitable.
There are various different affected versions of FortiOS and different patches available. The vulnerability also impacts unsupported versions, so now is definitely the time to make that upgrade if FortiOS 6.0.x is still running.
|7.4.0 through 7.4.2
|Upgrade to 7.4.3 or above
|7.2.0 through 7.2.6
|Upgrade to 7.2.7 or above
|7.0.0 through 7.0.13
|Upgrade to 7.0.14 or above
|6.4.0 through 6.4.14
|Upgrade to 6.4.15 or above
|6.2.0 through 6.2.15
|Upgrade to 6.2.16 or above
|6.0 all versions
|Migrate to a fixed release
The only workaround recommended by Fortinet is to disable the SSL VPN. Disabling webmode won't mitigate the vulnerability, it said.
Other vulnerabilities were also disclosed alongside it, such as CVE-2024-23113 – a critical RCE bug in FortiOS fgfmd daemon, but these haven't been exploited in the wild.
Buggy bug disclosure and an angry kettle
Some of you Reg readers will have been following the Fortinet-related coverage this week and perused the story about a confusing double bug disclosure on February 6. This was just the start of hell week.
The story immediately attracted our attention since it's not too often we hear about two maximum severity bugs being disclosed on the same day, impacting a major security product like FortiSIEM.
However, that's what happened on Tuesday with both CVE-2024-23108 and CVE-2024-23109 appearing in the National Vulnerability Database (NVD). The confusing part was that both vulnerabilities were submitted by Fortinet, but both linked back to a separate, earlier October advisory, revealing no details about these seemingly huge new flaws.
So, hungry vultures we are, we swooped down and picked that story up immediately, shooting Fortinet a request for clarity on the matter and why it hadn't published details on them.
Many readers will likely have seen that story since it was among the most-read for a few days, but some may be wondering why we didn't update it with the latest available information per our usual high standards.
It took Fortinet more than 73 hours to issue us with an official response. It came through after we started writing this on February 9.
For those not in tune with how the media works, this is very, very poor form on the vendor's part. A response given to a publication even beyond just 24 hours, especially with no explanation as regards the delay, is considered unprofessional.
In the meantime, the company has issued two separate statements to our competitors explaining what exactly has gone wrong with this disclosure. We didn't publish this for a number of editorial-related reasons, and prior to the statement issued today, we've only received apologies for the radio silence. Not even copies of the statements given to other publications.
If a 24-hour wait is considered unprofessional, more than three days is a slap in the face.
So, all of that is why our coverage hasn't been as timely as we, and you as readers, expect from us.
But, since we're providing an overview of the vendor's week, what actually happened here was that it absolutely bungled the disclosure of these vulnerabilities.
Firstly, Fortinet backtracked and said these weren't vulnerabilities at all, instead explaining that they were issued in error and were duplicates of the single vulnerability mentioned in the aforementioned October advisory – CVE-2023-34992.
Then, within hours of this, the company backtracked again saying that yes, actually, these are two new vulnerabilities – two bypasses for October's CVE-2023-34992. This came after the researcher credited with the discoveries published the email from Fortinet confirming the findings were indeed actual vulnerabilities. Fortinet retained its 10/10 severity ratings, while the NVD downgraded both to 9.8.
Fortinet's statement from today addressed the 'why' behind the disclosure, blaming it on "exceptional circumstances."
According to a Fortinet spokesperson:
Timely and ongoing communications with our customers is a key component in our efforts to help protect and secure their organization. Fortinet PSIRT policy diligently balances our commitment to the security of our customers and our culture of researcher collaboration and transparency.
There are instances where confidential advance customer communications can include early warning on advisories to enable customers to further strengthen their security posture, prior to the advisory being publicly released to a broader audience. This process follows best practices for responsible disclosure to provide our customers timely information to help them make informed decisions.
Due to exceptional circumstances that include the premature dissemination of mitigation guidance and in an effort to help protect our customers, Fortinet distributed its monthly advisory on February 8 ahead of its anticipated February 13 publication date to provide important details to customers considering these circumstances. For more on Fortinet's responsible disclosure process, visit the Fortinet Product Security Incident Response Team (PSIRT).
That damned toothbrush story
Security-minded readers or otherwise, you will all have surely seen the story circulating this week about Java-based, malware-laden toothbrushes being recruited in a 3 million-strong botnet that's DDoS-ing Switzerland.
Unlike many major national newspapers, and even some well-read tech press, we brushed over this one as something didn't quite seem right about it. For Fortinet, it was yet another mess to clean up.
The Swiss newspaper that originally published the story claimed a director of systems engineering at [you can guess the company] told their reporter during an interview that the toothbrush DDoS-ing was actually happening in the real world.
After many strongly worded suspicions that the claim was false, and a litany of memes pasted over tech social media, Fortinet responded by saying the claim was simply just lost in translation and that there was no actual massive toothbrush botnet. It was just a hypothetical situation.
The writer at the Swiss German daily who first reported the story snapped back, disputing Fortinet's response, saying: "What the Fortinet headquarters in California is now calling a 'translation problem' sounded completely different during the research: Swiss Fortinet representatives described the toothbrush case as a real DDoS at a meeting that discussed current threats."
Stefan Zuger, the Fortinet engineer who gave the interview, provided specific details of the DDoS incident, including for how long the attack had been ongoing and the potential damage to the unnamed website it affected, the reporter claimed.
The Swiss journo also said the article was proofread by Fortinet before publication and nothing in the report was corrected by the vendor.
The weekend will doubtless be a welcome reprieve, especially for members of Fortinet's publicity team who will have been working tirelessly to undo all the company-wide errors from the past week.
To their credit, they will also be dealing with the response to the reports that were also published this week about Chinese cyberspies exploiting FortiGate vulnerabilities using custom malware.
We at El Reg lovingly welcome errors and messes of all kinds. We hate slow news days, so long may it continue… just as long as we're not ignored while it's happening. ®