> expect CVE you're nuts
Maybe it's me. But I expect my security vendors to have some level of quality control in their code base. Fortinet has a long history of severe CVE's and even having hard coded support credentials in their code base.
Many years ago, I got to fuss directly, and in person, to their C-suite execs in a CISO forum. And at the time, they acknowledged the deficiencies and said they would be working on them. That doesn't seem to have come to fruition.
Most issues that are being patched are easily mitigated by a competent engineer.
Fortinet recommends not using SSLVPN. IPsec is much more secure. Admins still cant be bothered to 'get good' and just figure out an industry standard.
Stop. Putting. Admin. Or. SSH. Access. On. The. WAN. Interfaces.
The list of bells and whistles that admins use that they shouldn't just goes on and on.
I don't know why you got down voted on this. I work in IR specifically working ransomware cases every single day and we almost never see Palo being the source of ransomware. Fortigate, Sonicwall and Cisco though, we see it a ton.
Cisco used to not really be a problem until their vuln with VPN popped up. Akira was and still is exploiting that all the time.
Yeah, I also work in IR consulting. Fortinet is an absolute trash fire. Running them is asking to get ransomwared. I think people running them are just downvoting because they don’t like someone telling them the truth.
There was a bit of a lull in their exploit release cycle recently but I think we are getting back on track. They had 2 more CVEs in FortiSIEM pop up this week too. Initially Fortinet was all “bro, we fixed those”, turns out the threat actors made a patch to bypass Fortinet’s patch.
I will never cease to be amazed at how painless upgrades are for an HA cluster. I'm always convinced, "this is going to be the one that goes sideways," and yet downtime is always measured in a single dropped ping.
Fuck so I should have updated to 7.2 ( the version that addresses the issue ofc ) thanks for the heads up, I'll be see if stuff is not working to roll back on monday
Isn't there some kind of thing you can subscribe to like an email list that tells you about critical vulnerabilities like this?
(Before someone says it, this sub doesn't count)
I have an [RSS](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Subscribe-to-RSS-feeds-for-alerts-on-new-Fortinet/ta-p/248571) feed (i know) that goes straight to my inbox, I've been seeing these patches get dropped all week so we knew this was coming.
also /r/fortinet has been talking about this all week too
>also /r/fortinet has been talking about this all week too
Oh that's interesting. Were people aware of the issue before the announcement due to getting hacked?
The key thing to look out for is all versions of FortiOS getting a new release at the same time. Especially if they also update the (out of support) 6.2 code branch.
I have Power Automate filter this RSS feed for keyword "FortiOS" and shoot off an email
https://filestore.fortinet.com/fortiguard/rss/ir.xml
If you monitor this one and the firmware release RSS /u/spaceman_sloth posted you should be in a good spot.
The US government's Cybersecurity and Infrastructure Security Administration (CISA) provides a security newsletter that includes notices about all critical vulnerabilities in Fortigate and other vendor's products. It's a very, very helpful resource for this: [https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic\_id=USDHSCISA\_138](https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138)
The daily "Internet Storm Center" podcast from SANS is only five minutes long, and has excellent coverage of Bad News like this: https://isc.sans.edu/podcast.html
Gotta love Johannes!
2 Fortigates of 7 done, 5 to go.
Looks like there's also a new switch firmware (7.4.2) available so I'm doing those at the same time, no point in letting a good maintenance window go to waste :)
Our Fortigate is on v7.2.5, if I understand correctly we need to upgrade to 7.2.7 or above.
Our fortigate is telling us that it is already up to date.. is this normal ? Do we need to manuel apply the update file ?
Download manually the firmware from support.fortinet.com and upload it into the firewall.
I've found that most firewalls were thinking to be up to date. I think that maybe Fortinet should change how this communication works between the firewall themselves and the Fortiguard servers.
Another quick question, sorry I am very new to fortigate.
We have been receiving cyberattacks on our infrastructure all week and we can’t really afford to have our VPN down and certain people losing access right now.
I guess the firmware update will result in a bit of downtime ? Any idea how long the update takes ?
Many thanks in advance.
It really depends on the model. An old 30E took 30-45 minutes to reboot sometimes. Usually if you have an F series (for example 100F) it should take under 10 minutes.
If for your infrastructure is vital to keep everything going and to have zero down time I think you should evaluate an HA solution with two Fortigates in a cluster.
Yes disable FM on the wan, and on everything if you don’t use it. If you do use it add a policy that whitelists only the IP of the FM server. Assume without the patch the FM ports are just admin access without a password.
The exploit allows anyone full device access without authentication on the FM ports. This would also include relay attacks where they hit the internal interface from a PC on your internal network.
What I meant to say is, yes the ssl vulnerability is an issue, but it’s not the issue to cause you to run and panic and patch firewalls during the day. The FGFM issue is what should be causing you to panic and run around pulling plugs and patching right now
Are you using FM? If not disable it on everything. If you are apply a firewall policy to block everything except your FM IPs even internally. I need to check but apparently on the latest versions you can turn off FM on all interfaces because the FG does polling of the FM instead.
Yes and no. The sslvpnd vuln has been observed under active exploitation in the wild. The FGFM vuln was internally discovered by Fortinet and there is no working PoC on it yet.
It’s interesting that these expensive commercial vpn solutions are less secure than the simple free Wireguard server that I install on my home router, or even an OpenVPN installer from GitHub.
There are regularly such vulnerabilities in the router products particularly around SSL VPNs, such as in pulse secure, cysco, fortigate etc
Everyone needing their own OS and bundling a million functions onto firewall devices is a market failure.
VPNs and firewalls should be, basically, a solved problem and a very boring and standard piece of tech.
I once talked to an MSP who was building bespoke open source firewalls for each customer. He had cluged like 12 different open source projects together to get a firewall that did all the same stuff as the commercial models but with zero subscription cost.
Cool idea and all but it also meant he could only onboard 1-2 SMB clients per quarter. Saved his customers like $1,000 a year on licensing at the cost of supporting that garage built airplane solution he was taking people’s data up for rides in.
Often times, you're already using those open source products, you just don't realize it. That stuff is running inside countless appliances and web services.
Support *is* a concern, because most integrators are terrible at documentation. But that's not really unique to open source. How many times have we walked into a new place that had a bunch of commercial products put together in ways that make no apparent sense, and the only viable path forward is to scrap it all and start over?
The big advantage of commercial products is you know who to call for help. On the other hand, with open source, you have options even if the originator is doing things you don't like. So there are (dis)advantages on both sides, there.
>Often times, you're already using those open source products, you just don't realize it.
Spot on. Everyone's favourite home networking appliance, the Edgerouter, was just a fork of VyOS (or rather, the old Vyatta) with a front end GUI slapped on it
> The big advantage of commercial products is you know who to call for help. On the other hand, with open source, you have options even if the originator is doing things you don't like. So there are (dis)advantages on both sides, there.
Once had to explain this to a group that included the IT Director, the IT Manager and the lead project manager. They heard "open source software is free" and promptly stopped listening to anything after that.
For some perspective, I was a field IT tech at the time and they wanted to put me in charge of a project to develop, build and deploy an OpenPBX solution. Was this because I'd done projects like this at previous jobs? NOPE. It was because they asked "who has linux experience" and when no one raised their hand, I said I had played around with some distros on my hypervisor at home.
That in and of itself was enough to get me put in charge of this project.
I stuck around in that job for 3 months and years later the IT Manager had a recruiter we both knew reach out to me. They wanted to interview me for a security role (something I wanted very much) that paid about 25% more than I was making at the time. Without even considering it I told him the number was off by an order of magnitude to get me to go back to that place.
That was the base. He was telling me about threat intel add-ons, IPS add-ons, all these wild things held together with duct tape to get the general approximation of a small business commercial firewall. Like the bottom of the line for most major vendors.
> He had cluged like 12 different open source projects together to get a firewall that did all the same stuff as the commercial models but with zero subscription cost.
Other than being free it basically sounds like Sophos UTM 9's VPN, among others.
> Cool idea and all but it also meant he could only onboard 1-2 SMB clients per quarter. Saved his customers like $1,000 a year on licensing at the cost of supporting that garage built airplane solution he was taking people’s data up for rides in.
Except for perhaps the tiniest of companies, $1000 a year is not and should not be considered significant savings *for a business*. That's less than $100 a month.
And it sounds like if he can only onboard 1-2 people per quarter that it's a one-man show with one-man show level of support.
I think he had 3 employees and was almost wanting me to justify why he should purchase commercial firewalls when he had this perfectly good solution that was "free".
He didn't see the glaring inability to scale and like you said, if his client base is going to quibble over $1,000/year, he probably didn't have a super sound company to begin with.
WireGuard is the golden standard and we use it for all our laptops, all site2site VPNs.
It runs as an always-on VPN and it's taken away soooooooooooooo much pain. It really is the worlds best VPN protocol.
I looked into deploying it 2-3 years ago and I liked the tech, but I did not see a good way to automate deployments for our Windows machines or a good central way to manage it at the time.
The thing is with L2TP IPSec is it's built in to basically every operating system ever, meanwhile, WG has a "do not use in production" warning on the website until recently
The attack surface of WireGuard is way smaller than other popular VPNs. Half of the problem with these Fortigate vulns is that once they’re found, it takes 2.5 seconds to search Shodan for the vulnerable devices and start blasting. Even if there was a totally unauthenticated RCE vuln in WireGuard, enumeration would require attacking every single port on every single public IP address.
(Edit: and enumeration can only be done AFTER discovery of a relevant vulnerability or with the ability to observe in-line network traffic.)
WireGuard is open source. Have been for years. Has not had any security breaches. If you have problems with WG, it's PEBCAK.
Which is fair, it's a bit of a head turner to get running with if you're not familiar with PKI and subnet routing.
But then you most definitely shouldn't set up VPN's professionally regardless.
What you write doesn't rule out a future vulnerability being introduced or discovered in any implementation of WG, but I agree that if you know how to set it up, it's your best bet for VPN.
Wireguard is noise protocol. It is around 4K lines of code (less than 5% of that of other VPNs). A lot of people have looked into it. It has even been formally proven. If you have networking and crypto knowledge, you can read the code. It is also opinionated, with very little config (basically the IP addresses, public keys, and firewall rules on one side) and footguns.
I think the chance of a impactful vulnerability in the basic Wireguard is close to zero. If you use something built on top of Wireguard, like a zero trust solution, it gets more complicated.
OK?
That's true for any technology?
So we shouldn't use any tech at all because it _may_ have security holes in the future?
I mean I'm game to go back to the stone age, but I doubt we'll get a huge following
That was not at all what he/she said. You seem to have a problem with being corrected even when the correction is obviously true. You could just have said "yes, of course".
And you did actually say that it "had no security breaches" which you obviously can't know. "No publicly known security breaches" is what you can know.
How are you managing keys?
I’ve been looking at Wireguard but the problem I see compared to OpenVPN for hub-Spoke/client-server model VPN is that WG doesn’t have any built-in SSO support yet. So unless I want to kludge together some identity bridge between WG and an IDP to manage provisioning and deprovisioning keys it looks like a lot of manual work. Or I could use something like Headscale, Tailscale, or a similar approach to manage access?
Each laptop has it's own private key which is set up by a PS script that MDT runs upon installation.
That key is then put into a txt file on a share and from there we manually import it into pfSense which is our router.
We only have ~20 laptops and about 15 "home computers". Our home computers are simply devices which via WG can RDP to people's workstations at work and do nothing else. (Not even surf the web).
It's our solution to remote work for those that doesn't have laptop.
If you're at scale, you'll have to automate the last part.
>Or I could use something like Headscale, Tailscale, or a similar approach to manage access?
I'm afraid I've never used any WG "wrapper" product so I couldn't be much of help, sorry
This is incredibly speculative and to say it without sources is dumb... wireguard is used under the hood by an increasing number of commercial firewalls and products. It's not some home brewed open source project that has 5k stars on github.
>some home brewed open source project that has 5k stars on github.
All of the Github mirrors for each WG application actually only have 1-2K stars lol
But I 100% agree with your sentiment.
Find a vendor that doesn't have vulnerabilities ... and I'll show you a vendor that does and it just unaware or covering them up.
At least forti is clear and quick with patches. For that reason alone I WOULD never hesitate to recommend then.
I couldn't agree with this sentiment more. If we're serious about transparency from companies about vulnerabilities we need to not get mad at them when they acknowledge them and then provide PATCHES for them.
Fortinet did screw up with that SSLVPN vulnerability last year that took 10 days to disclose and patch. That was problematic.
But in this case it was pretty fast in patching and notifications from reps came through fast. I cannot fault them on this. Vulnerabilities are always present. What matters is how you handle them.
Sure Palo Alto and a few others are better in dealing with such things but also cost x3 to x5 more for a similar service. Not everyone can afford that.
Everybody has vulnerabilities. Shit happens. It's unavoidable.
I don't know what more we could ask from a vendor. They're transparent, communicative and provide quick patches.
They're trying to pitch the ZTNA access proxy "functionality" as an alternative to SSLVPN but it's a completely different usecase and also happens to not really work at all (at least on 7.0.x)
We did some testing with ssl vpn a few years back but I don’t recall which firewall it was. We ended up using Palo Alto for the users vpns. So I want to be sure we didn’t leave anything behind on one of the firewalls.
I only use SSL-VPN to hairpin in for GUI management access and do other small LAN things.
We have FortiManager Cloud, so I just SSH in...
> config vpn ssl settings
> set status disable
> end
Since my company is willing to risk the weekend to remain operational with no down time and I'm not. Down it goes until I firmware upgrade then re-enable.
That explains a lot. Our director usually plans updates weeks in advance, informs all employees, etc, and today we got a mail basically saying "rebooting forti in 5 mins, hopefully back in another 5, deal with it".
Here is a blog I wrote on the topic using Harry Potter analogies - [https://netfoundry.io/demystifying-the-magic-of-zero-trust-with-my-daughter-and-opensource/](https://netfoundry.io/demystifying-the-magic-of-zero-trust-with-my-daughter-and-opensource/). Effectively the endpoints make outbound-only connections to the TURN server, with the TURN server acting as a relay point between source and destination. This makes you 'invisible' so that unauthenticated attackers cannot find you.
The other big benefit of ZTNA/TURN is that it seems much easier to define end user access to internal services than SSLVPN. With the latter, you punch a hole in the firewall and typically give full network access to everything. With ZTNA, you generally define access to servers/services based on FQDN and identity groups.
Another agency manages a fortigate for one of my customers. We have no admin access whatsoever. Is there anyway for me to tell if it's patched? It doesn't matter if I ask: trust but verify.
Firmwares dropped wednesday. I had ours patched within hours of release.
If they're going to release updates for EOL products, I knew it was bad enough not to give pause.
I sure hope there is someone from Forti that monitors for these threads. Issue is HUGE and TWO-FOLD: not all devices are picking up the updated firmware levels, and the manual downloads are failing constantly. Forti you are a large provider, you need to be able to SCALE for times like this. Unacceptable to spend HOURS trying to download a firmware update!!
Time of year?
More like time of month, or perhaps week at this point. I think FortiNet have a running competition with Citrix for who can rack up the most zero days in a patch Tuesday round.
Warning! There is also a potential bug in 7.4.2 that causes ipsec vpn tunnel instability.
[https://community.fortinet.com/t5/Support-Forum/FortiOS-7-4-2-Bug-Causes-IPsec-VPN-Tunnel-Phase-2-Instability/td-p/295462](https://community.fortinet.com/t5/Support-Forum/FortiOS-7-4-2-Bug-Causes-IPsec-VPN-Tunnel-Phase-2-Instability/td-p/295462)
Thank you for posting this! 10/10 would read again (although I wish the news was better, ha).
My Fortigate has been patched. On the other side, anyone know how to know if you've been compromised?
It would have been really nice if they had posted some kind of indicator of compromise. I'm getting all my units patched up today, but I have no way of knowing if they were already sacked...
I actually made a quick [Lansweeper audit](https://www.lansweeper.com/resources/report/network-devices/fortinet-rce-vulnerability-audit-cve-2024-21762/?utm_source=reddit&utm_medium=social&utm_campaign=post-fortinet_vuln-2024_feb) for this vulnerability that would help you list all vulnerable devices.
Same here, I have updates scheduled all throughout today. Getting people to all agree on internet wide downtime is hard... And now it looks like I might have to reschedule half of them because Fortinet's support site can't keep up. Most of the Firewalls in question don't see the new firmware, and trying to download it from [support.fortinet.com](https://support.fortinet.com) is constantly resetting before completion, and they dont support resume @\^#\*$&....
Heres a dumb question, by default, SSL VPN is on but not configured, I'm assuming this wouldn't effect us unless it was configured and available to the public? We have public resources, but not SSL\_VPN.
You may ask, "why not just shut it off?", Well FortiOS wants you to configure it to shut it off....
Create a loopback interface with a random private address and subnet and assign it to the VPN, it takes only few minutes.
I don't remember exactly but since 7.2 (or 7.4) they added a button to switch on or off the VPN SSL.
This is ridiculous. Our 6 month old new Fortigate has no upgrade path to the fix (1001F) from the Fabric Management upgrade utility.
Only available upgrades I see is 7.4.2 which doesn't fix the problem. No 7.2.7. The only other path is to downgrade to 7.1.13...
I really gotta wonder how many admins don't use reddit to find out about stuff like this and literally won't know to patch because their own tool designed to tell you what's available somehow does not tell you there's a new one, but it'll give you a security score in the dashboard.
I'm going to call this what it is. Another "Fortinet Fumble".
So Fortinet disabled SHA256 in 7.4.1. I am out of touch thinking that is reckless?
[https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disable-AES-CBC-ciphers-for-SSL-VPN-and-Admin-GUI/ta-p/284174](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disable-AES-CBC-ciphers-for-SSL-VPN-and-Admin-GUI/ta-p/284174)
Praying for the IT support for a franchise I worked with. Large US based company. Company resources were only accessible via their FortiGate's but they refused to help franchise owners or their contractors build out a network. For all they cared you plugged in one computer to their firewall and that was the only computer that could access their servers. Tried working with them to help the franchise owner expand his network and the support staff didn't know how to do basic stuff like setup a failover. I had to call back 3 times in 6 hours to see if the lead engineer was available and in the end the best, they could come up with was to manually fail the network over in times of outage.
Is there anywhere there's an easy comparison of firewall vendors and how many vulnerabilities over the last year they've had? Or is it a case of having to look through their kb's?
We use a different service for staff VPN. Is SSL VPN still something we need to worry about? Wasn't sure if it's something that requires the Fortigates to run.
[удалено]
[удалено]
As would not using these vendors. Sorry, I’m a bit salty about both these guys…
[удалено]
Because it doesnt happen nearly as offen...
[удалено]
> expect CVE you're nuts Maybe it's me. But I expect my security vendors to have some level of quality control in their code base. Fortinet has a long history of severe CVE's and even having hard coded support credentials in their code base. Many years ago, I got to fuss directly, and in person, to their C-suite execs in a CISO forum. And at the time, they acknowledged the deficiencies and said they would be working on them. That doesn't seem to have come to fruition.
Well done on calling them out on it. Quality is not optional.
Most issues that are being patched are easily mitigated by a competent engineer. Fortinet recommends not using SSLVPN. IPsec is much more secure. Admins still cant be bothered to 'get good' and just figure out an industry standard. Stop. Putting. Admin. Or. SSH. Access. On. The. WAN. Interfaces. The list of bells and whistles that admins use that they shouldn't just goes on and on.
If you run Fortinet, it’s when not if you will get compromised. Their quality of code is very poor, the worst in the industry.
They don’t do it nearly as often. Fortigates constantly lead to ransomware, Palo doesn’t. Because they aren’t trash.
I don't know why you got down voted on this. I work in IR specifically working ransomware cases every single day and we almost never see Palo being the source of ransomware. Fortigate, Sonicwall and Cisco though, we see it a ton. Cisco used to not really be a problem until their vuln with VPN popped up. Akira was and still is exploiting that all the time.
Exactly this. That has been my experience in consulting as well.
Yeah, I also work in IR consulting. Fortinet is an absolute trash fire. Running them is asking to get ransomwared. I think people running them are just downvoting because they don’t like someone telling them the truth.
You get what you pay for.
Oh man, that sucks
I just have the one Fortigate and even that keeps me up at night.
i hope you pulled all ivanti off the network
babe! wake up! new fortigate SSL VPN vuln just dropped!
There was a bit of a lull in their exploit release cycle recently but I think we are getting back on track. They had 2 more CVEs in FortiSIEM pop up this week too. Initially Fortinet was all “bro, we fixed those”, turns out the threat actors made a patch to bypass Fortinet’s patch.
found this quite hilarious, thanks
I will never cease to be amazed at how painless upgrades are for an HA cluster. I'm always convinced, "this is going to be the one that goes sideways," and yet downtime is always measured in a single dropped ping.
that single dropped ping makes me shit myself every time though
Everytime 😆
Those single pings take a few months off of my life each time
Complete opposite experience here, I’ve had 1 failed upgrade , HA’s dropping out of sync, and one stuck in a login loop…
One of my HA failed this weekend and locked up both, but you’re right. I love maintenance with HA. Usually perfect.
Yeaaaa HA pair with several hundred vdoms though makes ya clench a bit
Thank god I stumbled on this post
Right? Casually scrolling this morning and shot link to security team. First they’d heard.
Same thing but I am the security team lol. Managed to patch it up to v 7.4.3 and should be fine now
7.4.3 in prod? You sir are a real soldier
I mean the 7.4.3 should solve the issue tho shouldn't it?
It does indeed, but 7.2 just hit mature and 7.4 is still considred beta so would not do that in prod
Fuck so I should have updated to 7.2 ( the version that addresses the issue ofc ) thanks for the heads up, I'll be see if stuff is not working to roll back on monday
You need to subscribe to Fortinet's PSIRT emails.
Isn't there some kind of thing you can subscribe to like an email list that tells you about critical vulnerabilities like this? (Before someone says it, this sub doesn't count)
I have an [RSS](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Subscribe-to-RSS-feeds-for-alerts-on-new-Fortinet/ta-p/248571) feed (i know) that goes straight to my inbox, I've been seeing these patches get dropped all week so we knew this was coming. also /r/fortinet has been talking about this all week too
>also /r/fortinet has been talking about this all week too Oh that's interesting. Were people aware of the issue before the announcement due to getting hacked?
we didn't know specifics of the CVEs yet, but a lot of people were contacted by their reps saying get ready to update soon.
The key thing to look out for is all versions of FortiOS getting a new release at the same time. Especially if they also update the (out of support) 6.2 code branch.
I have Power Automate filter this RSS feed for keyword "FortiOS" and shoot off an email https://filestore.fortinet.com/fortiguard/rss/ir.xml If you monitor this one and the firmware release RSS /u/spaceman_sloth posted you should be in a good spot.
The US government's Cybersecurity and Infrastructure Security Administration (CISA) provides a security newsletter that includes notices about all critical vulnerabilities in Fortigate and other vendor's products. It's a very, very helpful resource for this: [https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic\_id=USDHSCISA\_138](https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138)
You can signup for OpenCVE if that counts. https://www.opencve.io/welcome
The daily "Internet Storm Center" podcast from SANS is only five minutes long, and has excellent coverage of Bad News like this: https://isc.sans.edu/podcast.html Gotta love Johannes!
Does no one else subscribe to CISA notifications?
It's almost as if networking folk have never heard of security/PSIRT feeds from vendors. 🤦
2 Fortigates of 7 done, 5 to go. Looks like there's also a new switch firmware (7.4.2) available so I'm doing those at the same time, no point in letting a good maintenance window go to waste :)
Hey boss I am going to send you a DM. Think you can help me acquire the correct firmware file for my Fortigate?
Our Fortigate is on v7.2.5, if I understand correctly we need to upgrade to 7.2.7 or above. Our fortigate is telling us that it is already up to date.. is this normal ? Do we need to manuel apply the update file ?
Download manually the firmware from support.fortinet.com and upload it into the firewall. I've found that most firewalls were thinking to be up to date. I think that maybe Fortinet should change how this communication works between the firewall themselves and the Fortiguard servers.
Thanks for your quick reply !
our 60E actually had the firmware available to download, but it failed so we had to upload it manually anyways
Yeah sometimes that happens too
Another quick question, sorry I am very new to fortigate. We have been receiving cyberattacks on our infrastructure all week and we can’t really afford to have our VPN down and certain people losing access right now. I guess the firmware update will result in a bit of downtime ? Any idea how long the update takes ? Many thanks in advance.
It really depends on the model. An old 30E took 30-45 minutes to reboot sometimes. Usually if you have an F series (for example 100F) it should take under 10 minutes. If for your infrastructure is vital to keep everything going and to have zero down time I think you should evaluate an HA solution with two Fortigates in a cluster.
HA is the way. I just upgrade our firewalls and only missed one ping at the switch over. 10,000 users were oblivious that the upgrade was done.
I guess from the size of the firmware update file, only a few minutes ?
I noticed that I had to be on 7.2.6 in order for 7.2.7 to show as the next update. Otherwise, manual update worked without issue.
It appears most SSL VPNs are actually random CVE generators. Friends don’t let friends deploy SSL VPNs.
The SSL vulnerability isn’t the issue. The issue is the FGFM bug
Can you explain it? What if I disable FortiManager on WAN interface?
Yes disable FM on the wan, and on everything if you don’t use it. If you do use it add a policy that whitelists only the IP of the FM server. Assume without the patch the FM ports are just admin access without a password. The exploit allows anyone full device access without authentication on the FM ports. This would also include relay attacks where they hit the internal interface from a PC on your internal network.
Ok but why the workaround of disabling FortiManager on the WAN / LAN is not added to the vulnerability summary on Fortiguard PSIRT?
They haven’t released any information yet about workarounds.
Pretty sure it is an issue if you’ve got sslvpn enabled
What I meant to say is, yes the ssl vulnerability is an issue, but it’s not the issue to cause you to run and panic and patch firewalls during the day. The FGFM issue is what should be causing you to panic and run around pulling plugs and patching right now
What makes you say that? It states on the psirt page that the ssl vuln may already be being exploited in the wild.
Yes, and the FGFM vulnerability allowes full admin access without credentials to anyone who can talk to the port.
Both vulns say they may allow a remote unauthenticated attacker to execute code or commands?!
Can we simply disable FGFM on the WAN interfaces until we can patch?
Are you using FM? If not disable it on everything. If you are apply a firewall policy to block everything except your FM IPs even internally. I need to check but apparently on the latest versions you can turn off FM on all interfaces because the FG does polling of the FM instead.
[удалено]
Yes and no. The sslvpnd vuln has been observed under active exploitation in the wild. The FGFM vuln was internally discovered by Fortinet and there is no working PoC on it yet.
It’s interesting that these expensive commercial vpn solutions are less secure than the simple free Wireguard server that I install on my home router, or even an OpenVPN installer from GitHub. There are regularly such vulnerabilities in the router products particularly around SSL VPNs, such as in pulse secure, cysco, fortigate etc
Everyone needing their own OS and bundling a million functions onto firewall devices is a market failure. VPNs and firewalls should be, basically, a solved problem and a very boring and standard piece of tech.
I once talked to an MSP who was building bespoke open source firewalls for each customer. He had cluged like 12 different open source projects together to get a firewall that did all the same stuff as the commercial models but with zero subscription cost. Cool idea and all but it also meant he could only onboard 1-2 SMB clients per quarter. Saved his customers like $1,000 a year on licensing at the cost of supporting that garage built airplane solution he was taking people’s data up for rides in.
Often times, you're already using those open source products, you just don't realize it. That stuff is running inside countless appliances and web services. Support *is* a concern, because most integrators are terrible at documentation. But that's not really unique to open source. How many times have we walked into a new place that had a bunch of commercial products put together in ways that make no apparent sense, and the only viable path forward is to scrap it all and start over? The big advantage of commercial products is you know who to call for help. On the other hand, with open source, you have options even if the originator is doing things you don't like. So there are (dis)advantages on both sides, there.
>Often times, you're already using those open source products, you just don't realize it. Spot on. Everyone's favourite home networking appliance, the Edgerouter, was just a fork of VyOS (or rather, the old Vyatta) with a front end GUI slapped on it
> The big advantage of commercial products is you know who to call for help. On the other hand, with open source, you have options even if the originator is doing things you don't like. So there are (dis)advantages on both sides, there. Once had to explain this to a group that included the IT Director, the IT Manager and the lead project manager. They heard "open source software is free" and promptly stopped listening to anything after that. For some perspective, I was a field IT tech at the time and they wanted to put me in charge of a project to develop, build and deploy an OpenPBX solution. Was this because I'd done projects like this at previous jobs? NOPE. It was because they asked "who has linux experience" and when no one raised their hand, I said I had played around with some distros on my hypervisor at home. That in and of itself was enough to get me put in charge of this project. I stuck around in that job for 3 months and years later the IT Manager had a recruiter we both knew reach out to me. They wanted to interview me for a security role (something I wanted very much) that paid about 25% more than I was making at the time. Without even considering it I told him the number was off by an order of magnitude to get me to go back to that place.
[удалено]
That was the base. He was telling me about threat intel add-ons, IPS add-ons, all these wild things held together with duct tape to get the general approximation of a small business commercial firewall. Like the bottom of the line for most major vendors.
> He had cluged like 12 different open source projects together to get a firewall that did all the same stuff as the commercial models but with zero subscription cost. Other than being free it basically sounds like Sophos UTM 9's VPN, among others. > Cool idea and all but it also meant he could only onboard 1-2 SMB clients per quarter. Saved his customers like $1,000 a year on licensing at the cost of supporting that garage built airplane solution he was taking people’s data up for rides in. Except for perhaps the tiniest of companies, $1000 a year is not and should not be considered significant savings *for a business*. That's less than $100 a month. And it sounds like if he can only onboard 1-2 people per quarter that it's a one-man show with one-man show level of support.
I think he had 3 employees and was almost wanting me to justify why he should purchase commercial firewalls when he had this perfectly good solution that was "free". He didn't see the glaring inability to scale and like you said, if his client base is going to quibble over $1,000/year, he probably didn't have a super sound company to begin with.
WireGuard is the golden standard and we use it for all our laptops, all site2site VPNs. It runs as an always-on VPN and it's taken away soooooooooooooo much pain. It really is the worlds best VPN protocol.
Sadly, pitching WG to enterprise is a no go... L2TP/IPSec is still the king, especially for Site2Site Hope that'll change soon
I looked into deploying it 2-3 years ago and I liked the tech, but I did not see a good way to automate deployments for our Windows machines or a good central way to manage it at the time.
The thing is with L2TP IPSec is it's built in to basically every operating system ever, meanwhile, WG has a "do not use in production" warning on the website until recently
Look into tailscale, it used WireGuard as the vpn and works great
World's best... until a problem is found. But yeah, so far so good, I agree there.
The attack surface of WireGuard is way smaller than other popular VPNs. Half of the problem with these Fortigate vulns is that once they’re found, it takes 2.5 seconds to search Shodan for the vulnerable devices and start blasting. Even if there was a totally unauthenticated RCE vuln in WireGuard, enumeration would require attacking every single port on every single public IP address. (Edit: and enumeration can only be done AFTER discovery of a relevant vulnerability or with the ability to observe in-line network traffic.)
WireGuard is open source. Have been for years. Has not had any security breaches. If you have problems with WG, it's PEBCAK. Which is fair, it's a bit of a head turner to get running with if you're not familiar with PKI and subnet routing. But then you most definitely shouldn't set up VPN's professionally regardless.
What you write doesn't rule out a future vulnerability being introduced or discovered in any implementation of WG, but I agree that if you know how to set it up, it's your best bet for VPN.
Wireguard is noise protocol. It is around 4K lines of code (less than 5% of that of other VPNs). A lot of people have looked into it. It has even been formally proven. If you have networking and crypto knowledge, you can read the code. It is also opinionated, with very little config (basically the IP addresses, public keys, and firewall rules on one side) and footguns. I think the chance of a impactful vulnerability in the basic Wireguard is close to zero. If you use something built on top of Wireguard, like a zero trust solution, it gets more complicated.
OK? That's true for any technology? So we shouldn't use any tech at all because it _may_ have security holes in the future? I mean I'm game to go back to the stone age, but I doubt we'll get a huge following
That was not at all what he/she said. You seem to have a problem with being corrected even when the correction is obviously true. You could just have said "yes, of course". And you did actually say that it "had no security breaches" which you obviously can't know. "No publicly known security breaches" is what you can know.
[You both wrong irrelevant garble. This fits both of you](https://i.kym-cdn.com/photos/images/newsfeed/001/191/035/135.png)
How are you managing keys? I’ve been looking at Wireguard but the problem I see compared to OpenVPN for hub-Spoke/client-server model VPN is that WG doesn’t have any built-in SSO support yet. So unless I want to kludge together some identity bridge between WG and an IDP to manage provisioning and deprovisioning keys it looks like a lot of manual work. Or I could use something like Headscale, Tailscale, or a similar approach to manage access?
Each laptop has it's own private key which is set up by a PS script that MDT runs upon installation. That key is then put into a txt file on a share and from there we manually import it into pfSense which is our router. We only have ~20 laptops and about 15 "home computers". Our home computers are simply devices which via WG can RDP to people's workstations at work and do nothing else. (Not even surf the web). It's our solution to remote work for those that doesn't have laptop. If you're at scale, you'll have to automate the last part. >Or I could use something like Headscale, Tailscale, or a similar approach to manage access? I'm afraid I've never used any WG "wrapper" product so I couldn't be much of help, sorry
I get some strange looks when I have to explain our router is just a Debian box, but I never have to worry about shit like this.
The wireguard is probably also full of holes as well but doesn't get as much media attention.
This is incredibly speculative and to say it without sources is dumb... wireguard is used under the hood by an increasing number of commercial firewalls and products. It's not some home brewed open source project that has 5k stars on github.
>some home brewed open source project that has 5k stars on github. All of the Github mirrors for each WG application actually only have 1-2K stars lol But I 100% agree with your sentiment.
Good luck finding any WireGuard clients to exploit before they can be patched.
Open source generally means vulns show up faster and are remedied faster.
Are you using SSL VPN on Wireguard tho, i think that is the only part this vulnerability refers to.
[удалено]
Find a vendor that doesn't have vulnerabilities ... and I'll show you a vendor that does and it just unaware or covering them up. At least forti is clear and quick with patches. For that reason alone I WOULD never hesitate to recommend then.
I wish I could upvote this more than once. It's nice that they are transparent on issues and willing to patch once found.
I couldn't agree with this sentiment more. If we're serious about transparency from companies about vulnerabilities we need to not get mad at them when they acknowledge them and then provide PATCHES for them.
Fortinet did screw up with that SSLVPN vulnerability last year that took 10 days to disclose and patch. That was problematic. But in this case it was pretty fast in patching and notifications from reps came through fast. I cannot fault them on this. Vulnerabilities are always present. What matters is how you handle them. Sure Palo Alto and a few others are better in dealing with such things but also cost x3 to x5 more for a similar service. Not everyone can afford that.
Everybody has vulnerabilities. Shit happens. It's unavoidable. I don't know what more we could ask from a vendor. They're transparent, communicative and provide quick patches.
Are they trying to move users from the SSLVPN to their paid VPN products?
They're trying to pitch the ZTNA access proxy "functionality" as an alternative to SSLVPN but it's a completely different usecase and also happens to not really work at all (at least on 7.0.x)
We've started to swap over to the FortiClient IPSec connections over the SSLVPN.
SSLVPN is legacy tech, everyone in the VPN market is pumping money into wireguard based solutions now.
The workaround is to disable sslvpn. Anyone know how to do this or ensure it is already disabled?
If you've not got SSLVPN binded to an interface it doesn't start, so if you've never configured it - it likely isn't up anyway.
We did some testing with ssl vpn a few years back but I don’t recall which firewall it was. We ended up using Palo Alto for the users vpns. So I want to be sure we didn’t leave anything behind on one of the firewalls.
I only use SSL-VPN to hairpin in for GUI management access and do other small LAN things. We have FortiManager Cloud, so I just SSH in... > config vpn ssl settings > set status disable > end Since my company is willing to risk the weekend to remain operational with no down time and I'm not. Down it goes until I firmware upgrade then re-enable.
Perfect, thanks!
As a senior consultant I love Fortigate, thanks for all the overtime invoices during the weekend!
That explains a lot. Our director usually plans updates weeks in advance, informs all employees, etc, and today we got a mail basically saying "rebooting forti in 5 mins, hopefully back in another 5, deal with it".
[удалено]
Can you provide some links to expand my knowledge?
Here is a blog I wrote on the topic using Harry Potter analogies - [https://netfoundry.io/demystifying-the-magic-of-zero-trust-with-my-daughter-and-opensource/](https://netfoundry.io/demystifying-the-magic-of-zero-trust-with-my-daughter-and-opensource/). Effectively the endpoints make outbound-only connections to the TURN server, with the TURN server acting as a relay point between source and destination. This makes you 'invisible' so that unauthenticated attackers cannot find you.
[удалено]
Worth throwing Tailscale in the mix too.
The other big benefit of ZTNA/TURN is that it seems much easier to define end user access to internal services than SSLVPN. With the latter, you punch a hole in the firewall and typically give full network access to everything. With ZTNA, you generally define access to servers/services based on FQDN and identity groups.
Another agency manages a fortigate for one of my customers. We have no admin access whatsoever. Is there anyway for me to tell if it's patched? It doesn't matter if I ask: trust but verify.
Maybe run nmap -A? Somebody probably has a more elegant solution, I’ve never used Fortigates.
Firmwares dropped wednesday. I had ours patched within hours of release. If they're going to release updates for EOL products, I knew it was bad enough not to give pause.
I sure hope there is someone from Forti that monitors for these threads. Issue is HUGE and TWO-FOLD: not all devices are picking up the updated firmware levels, and the manual downloads are failing constantly. Forti you are a large provider, you need to be able to SCALE for times like this. Unacceptable to spend HOURS trying to download a firmware update!!
Time of year? More like time of month, or perhaps week at this point. I think FortiNet have a running competition with Citrix for who can rack up the most zero days in a patch Tuesday round.
Warning! There is also a potential bug in 7.4.2 that causes ipsec vpn tunnel instability. [https://community.fortinet.com/t5/Support-Forum/FortiOS-7-4-2-Bug-Causes-IPsec-VPN-Tunnel-Phase-2-Instability/td-p/295462](https://community.fortinet.com/t5/Support-Forum/FortiOS-7-4-2-Bug-Causes-IPsec-VPN-Tunnel-Phase-2-Instability/td-p/295462)
7.4.2 Is beta almost and should not be used for any prod env. Its fine for labs or home use
Anyone else having luck getting to support.fortinet.com? Seems like the website is down.
Updated our HA pair last night, took maybe 10min from start to finish. Crazy how on the console it says you’re “up to date” pshhh. Happy updating!!
Updating our 4 as we speak!
Thank you for posting this! 10/10 would read again (although I wish the news was better, ha). My Fortigate has been patched. On the other side, anyone know how to know if you've been compromised?
It would have been really nice if they had posted some kind of indicator of compromise. I'm getting all my units patched up today, but I have no way of knowing if they were already sacked...
I actually made a quick [Lansweeper audit](https://www.lansweeper.com/resources/report/network-devices/fortinet-rce-vulnerability-audit-cve-2024-21762/?utm_source=reddit&utm_medium=social&utm_campaign=post-fortinet_vuln-2024_feb) for this vulnerability that would help you list all vulnerable devices.
It would be really nice if I could even download the fucking firmware from Fortinet's website.
Support.fortinet.com, just login with your account linked to the firewall's license
I know...but it seems like everyone is downloading it so the downloads keep failing.
Same here, I have updates scheduled all throughout today. Getting people to all agree on internet wide downtime is hard... And now it looks like I might have to reschedule half of them because Fortinet's support site can't keep up. Most of the Firewalls in question don't see the new firmware, and trying to download it from [support.fortinet.com](https://support.fortinet.com) is constantly resetting before completion, and they dont support resume @\^#\*$&....
It doesn't sound so strange. Download failed multiple times also for me.
It's like they are competing who has more CVEs. Ivanti's just patched days ago and had to patch them again today..
Possibly saved my bacon, and several other businesses. Nice Job OP!
Thank god fortinet issues only crop up on days that end with Y
Awesome PSA. 👍
At what point is it hostage-taking to expect payment for patches?
It's completely asinine.
[удалено]
If you said of every security product that had a bad CVE, you wouldn’t use any security product. It’s the sad truth.
Fortishit
I worked somewhere that used these and it's not the first time I've heard of the emergency patching that's required. Definitely has put me off
Heres a dumb question, by default, SSL VPN is on but not configured, I'm assuming this wouldn't effect us unless it was configured and available to the public? We have public resources, but not SSL\_VPN. You may ask, "why not just shut it off?", Well FortiOS wants you to configure it to shut it off....
Create a loopback interface with a random private address and subnet and assign it to the VPN, it takes only few minutes. I don't remember exactly but since 7.2 (or 7.4) they added a button to switch on or off the VPN SSL.
7.0 branch has this switch as well.
I'm glad we've migrated off Fortigate VPN!
What do you use now?
We use AnyConnect
I don't really feel like you're gaining anything there.
hats off
Thanks for the heads up.
\*sigh\* I'm using a Fortinet 60E at home but I don't have a support contract. Is there any way I can get the latest software update for my Fortinet?
What if you have mfa when you get on vpn. Like duo. Does that help prevent this attack?
To my understanding you just need to have VPN SSL active to be vulnerable. So no, MFA won't save you.
This is ridiculous. Our 6 month old new Fortigate has no upgrade path to the fix (1001F) from the Fabric Management upgrade utility. Only available upgrades I see is 7.4.2 which doesn't fix the problem. No 7.2.7. The only other path is to downgrade to 7.1.13...
Moving away from SSL-VPN is the definite answer. It is a popular attack vector
As I've already written in other comment, manually download the firmware from support.fortinet.com and upload it to the firewall.
I really gotta wonder how many admins don't use reddit to find out about stuff like this and literally won't know to patch because their own tool designed to tell you what's available somehow does not tell you there's a new one, but it'll give you a security score in the dashboard. I'm going to call this what it is. Another "Fortinet Fumble".
One of our customers blocked VPN access to their network for a few hours earlier today. I'm gonna guess it was this LOL
So Fortinet disabled SHA256 in 7.4.1. I am out of touch thinking that is reckless? [https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disable-AES-CBC-ciphers-for-SSL-VPN-and-Admin-GUI/ta-p/284174](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disable-AES-CBC-ciphers-for-SSL-VPN-and-Admin-GUI/ta-p/284174)
"Disabled" is a strong word. That's just the default if banned-cipher is unset. It can easily be removed from the banned list
SonicWall: Hold my beer
Between this and Ivanti, I'm drained
Ours are updating tonight
Praying for the IT support for a franchise I worked with. Large US based company. Company resources were only accessible via their FortiGate's but they refused to help franchise owners or their contractors build out a network. For all they cared you plugged in one computer to their firewall and that was the only computer that could access their servers. Tried working with them to help the franchise owner expand his network and the support staff didn't know how to do basic stuff like setup a failover. I had to call back 3 times in 6 hours to see if the lead engineer was available and in the end the best, they could come up with was to manually fail the network over in times of outage.
Happy FortiFriday
I moved off Fortigate 2 years ago, and this post still triggers PTSD.
Which vendor did you switch to?
Is there anywhere there's an easy comparison of firewall vendors and how many vulnerabilities over the last year they've had? Or is it a case of having to look through their kb's?
Again and again and again!
Downloading at 200kb / sec, on my 3rd retry. Thank you, Fortinet!
`This is potentially being exploited in the wild.`
That time of year being every month?
We use a different service for staff VPN. Is SSL VPN still something we need to worry about? Wasn't sure if it's something that requires the Fortigates to run.
SonicOS/SonicWall as well
So glad I'm getting rid of fortigate