Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim

Trending 3 weeks ago

We've had to constitute nan connection "Fortinet" truthful often lately that we're considering making a macro conscionable to make our lives a small easier aft what nan company's reps will surely work together has been a week sent from hell.

It each culminated this Friday pinch nan disclosure of yet different captious information vulnerability successful FortiOS, impacting its SSL VPN.

Tracked arsenic CVE-24-21762, nan 9.6 severity out-of-bounds constitute rumor allows for distant unauthenticated attackers to execute codification execution. There's besides grounds to propose it's already been exploited arsenic a zero-day.

Security researchers person urged users to spot susceptible VPNs arsenic soon arsenic imaginable since nan vulnerability is understood to beryllium easy exploitable.

There are various different affected versions of FortiOS and different patches available. The vulnerability besides impacts unsupported versions, truthful now is decidedly nan clip to make that upgrade if FortiOS 6.0.x is still running.

Version Affected Solution
FortiOS 7.6 Not affected Not applicable
FortiOS 7.4 7.4.0 done 7.4.2 Upgrade to 7.4.3 aliases above
FortiOS 7.2 7.2.0 done 7.2.6 Upgrade to 7.2.7 aliases above
FortiOS 7.0 7.0.0 done 7.0.13 Upgrade to 7.0.14 aliases above
FortiOS 6.4 6.4.0 done 6.4.14 Upgrade to 6.4.15 aliases above
FortiOS 6.2 6.2.0 done 6.2.15 Upgrade to 6.2.16 aliases above
FortiOS 6.0 6.0 each versions Migrate to a fixed release

The only workaround recommended by Fortinet is to disable nan SSL VPN. Disabling webmode won't mitigate nan vulnerability, it said.

Other vulnerabilities were besides disclosed alongside it, specified arsenic CVE-2024-23113 – a captious RCE bug successful FortiOS fgfmd daemon, but these haven't been exploited successful nan wild.

Buggy bug disclosure and an angry kettle

Some of you Reg readers will person been pursuing nan Fortinet-related sum this week and perused nan communicative astir a confusing double bug disclosure connected February 6. This was conscionable nan commencement of hellhole week.

The communicative instantly attracted our attraction since it's not excessively often we perceive astir 2 maximum severity bugs being disclosed connected nan aforesaid day, impacting a awesome information merchandise for illustration FortiSIEM.

However, that's what happened connected Tuesday pinch some CVE-2024-23108 and CVE-2024-23109 appearing successful nan National Vulnerability Database (NVD). The confusing portion was that some vulnerabilities were submitted by Fortinet, but some linked backmost to a separate, earlier October advisory, revealing nary specifications astir these seemingly immense caller flaws.

So, quiet vultures we are, we swooped down and picked that communicative up immediately, shooting Fortinet a petition for clarity connected nan matter and why it hadn't published specifications connected them.

Many readers will apt person seen that communicative since it was among nan most-read for a fewer days, but immoderate whitethorn beryllium wondering why we didn't update it pinch nan latest disposable accusation per our accustomed precocious standards.

It took Fortinet much than 73 hours to rumor america pinch an charismatic response. It came done aft we started penning this connected February 9.

For those not successful tune pinch really nan media works, this is very, very mediocre shape connected nan vendor's part. A consequence fixed to a publication moreover beyond conscionable 24 hours, particularly pinch nary mentation arsenic regards nan delay, is considered unprofessional. 

In nan meantime, nan institution has issued 2 abstracted statements to our competitors explaining what precisely has gone incorrect pinch this disclosure. We didn't people this for a number of editorial-related reasons, and anterior to nan connection issued today, we've only received apologies for nan power silence. Not moreover copies of nan statements fixed to different publications.

If a 24-hour hold is considered unprofessional, much than 3 days is simply a slap successful nan face.

So, each of that is why our sum hasn't been arsenic timely arsenic we, and you arsenic readers, expect from us.

But, since we're providing an overview of nan vendor's week, what really happened present was that it perfectly bungled nan disclosure of these vulnerabilities. 

Firstly, Fortinet backtracked and said these weren't vulnerabilities astatine all, alternatively explaining that they were issued successful correction and were duplicates of nan azygous vulnerability mentioned successful nan aforementioned October advisory – CVE-2023-34992.

Then, wrong hours of this, nan institution backtracked again saying that yes, actually, these are 2 caller vulnerabilities – 2 bypasses for October's CVE-2023-34992. This came aft nan interrogator credited pinch nan discoveries published nan email from Fortinet confirming nan findings were so existent vulnerabilities. Fortinet retained its 10/10 severity ratings, while nan NVD downgraded some to 9.8.

Fortinet's connection from coming addressed nan 'why' down nan disclosure, blaming it connected "exceptional circumstances."

According to a Fortinet spokesperson:

That damned toothbrush story

Security-minded readers aliases otherwise, you will each person surely seen nan communicative circulating this week astir Java-based, malware-laden toothbrushes being recruited successful a 3 million-strong botnet that's DDoS-ing Switzerland.

Unlike galore of nan awesome nationalist newspapers, and moreover immoderate well-read tech press, we brushed complete this 1 arsenic thing didn't rather look correct astir it. For Fortinet, it was yet different messiness to cleanable up.

The Swiss newspaper that primitively published nan story claimed a head of systems engineering astatine [you tin conjecture nan company] told their newsman during an question and reply that nan toothbrush DDoS-ing was really happening successful nan existent world.

After galore strongly worded suspicions that nan claim was false, and a litany of memes pasted complete tech societal media, Fortinet responded by saying nan declare was simply conscionable mislaid successful translation.

The newsman astatine nan Swiss German regular which primitively reported nan communicative past snapped backmost pinch a comeback that refuted Fortinet's response, saying: "What nan Fortinet office successful California is now calling a 'translation problem' sounded wholly different during nan research: Swiss Fortinet representatives described nan toothbrush lawsuit arsenic a existent DDoS astatine a gathering that discussed existent threats."

Stefan Zuger, nan Fortinet technologist who gave nan interview, reportedly provided circumstantial specifications of nan DDoS incident, including for really agelong nan onslaught had been ongoing and nan imaginable harm to nan unnamed website it affected, nan newsman claimed.

The Swiss newsman besides said nan article was proofread by Fortinet earlier publication and thing successful nan study was corrected by nan vendor.

TGIF, right?

The play will doubtless beryllium a invited reprieve, particularly for members of Fortinet's publicity squad who will person been moving tirelessly to undo each nan company-wide errors from nan past week.

To their credit, they will besides beryllium dealing pinch nan consequence to nan reports that were besides published this week astir Chinese cyberspies exploiting FortiGate vulnerabilities utilizing civilization malware.

We astatine El Reg lovingly invited errors and messes of each kinds. We dislike slow news days, truthful agelong whitethorn it continue… conscionable arsenic agelong arsenic we're not ignored while it's happening. ®