Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs

[correlate]

Level 18
Thread author
Top Poster
Well-known
May 4, 2019
801

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Wow... As a Fortinet user, I can kinda see both sides here.

This is a super old vulnerability, from 2018, and is usually the kind of thing you'd patch right away. But Fortinet's firmwares struggle with quality -- often times dot releases contain a mix of bug fixes and new regressions, and most Fortinet admins get scared of applying updates for that reason. Especially for a device as central to your network as the NGFW, most peoples' NGFWs do more than just handle the border between the internal network and WAN. They do complicated traffic policies, web filtering, perhaps even bridging things like ChromeCasts for classrooms between VLANs. It's hard enough to schedule downtime to knock out the internet (which often times knocks out phones too because of VOIP), but when such downtime results in further networking emergencies, it's tempting to put them off.

It seems like Fortinet should be providing more targeted "hotfixes" as an alternative -- for network admins that don't want to upgrade to a dot release with a few thousand miscellaneous release note entries, there should be an alternative that just only contains the security patch of interest.
 

[correlate]

Level 18
Thread author
Top Poster
Well-known
May 4, 2019
801
Wow... As a Fortinet user, I can kinda see both sides here.

This is a super old vulnerability, from 2018, and is usually the kind of thing you'd patch right away. But Fortinet's firmwares struggle with quality -- often times dot releases contain a mix of bug fixes and new regressions, and most Fortinet admins get scared of applying updates for that reason. Especially for a device as central to your network as the NGFW, most peoples' NGFWs do more than just handle the border between the internal network and WAN. They do complicated traffic policies, web filtering, perhaps even bridging things like ChromeCasts for classrooms between VLANs. It's hard enough to schedule downtime to knock out the internet (which often times knocks out phones too because of VOIP), but when such downtime results in further networking emergencies, it's tempting to put them off.

It seems like Fortinet should be providing more targeted "hotfixes" as an alternative -- for network admins that don't want to upgrade to a dot release with a few thousand miscellaneous release note entries, there should be an alternative that just only contains the security patch of interest.
Today everything is targeted from auto companies to banks
Even protection companies
Your analysis is convincing, great caution is required.:cool:
 
F

ForgottenSeer 58943

Patching is a key component of security. To let you know how bad this can get with lazy IT admins... When I purchased a Fortigate 100D recently, I found that it had a four year old firmware on it. Even worse, once I got into it using the maintainer backdoor, which by the way is hilariously easy to break into a fortinet if you have local access, I found that it was never properly configured and I don't even want to disclose where this unit was deployed. It's embarrassing.

Fortinet, just like any UTM with a web admin console can be vulnerable, but it can also be configured to be robust, and almost unhackable. Including disabling the maintainer backdoor.

config system global
set admin-maintainer disable
end

Another embarrassing aspect (of Fortinet) is their units come with some specific open/closed non-stealth ports. But again, due diligence. Those can all be disabled.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
more than 230,000 vulnerable FortiGate appliances using the VPN functionality, researchers found. Out of those, a full 88 percent, or more than 200,000 businesses, are using the default configuration and can be easily breached in an MitM attack.

 
F

ForgottenSeer 58943

In a nutshell - Fortigate appliances themselves generate a certificate for VPN. The SSL-VPN only checks for a cert, and not actually if it is a non-locally generated cert. So in theory, someone could generate a cert from a $50 Fortigate Appliance on Ebay and MiTM these VPNs. Since there is no validation of the cert matching the issuing device, that random cheap Ebay purchased Fortinet as noted above, could generate certs to be used on any Fortinet VPN to MiTM the traffic with complete ease.

Contrary to what Fortinet says, I would consider this a vulnerability and in fact I would go out a bit more, and say this is gross negligence they aren't pairing locally generated certs on SSL's with the deployed device... Also since the default settings are rarely strayed from with the vast majority of these devices, it's probably a more widespread vuln than being indicated. That's just my perspective as a Fortinet NSE8 Engineer.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
In a nutshell - Fortigate appliances themselves generate a certificate for VPN. The SSL-VPN only checks for a cert, and not actually if it is a non-locally generated cert. So in theory, someone could generate a cert from a $50 Fortigate Appliance on Ebay and MiTM these VPNs. Since there is no validation of the cert matching the issuing device, that random cheap Ebay purchased Fortinet as noted above, could generate certs to be used on any Fortinet VPN to MiTM the traffic with complete ease.

Contrary to what Fortinet says, I would consider this a vulnerability and in fact I would go out a bit more, and say this is gross negligence they aren't pairing locally generated certs on SSL's with the deployed device... Also since the default settings are rarely strayed from with the vast majority of these devices, it's probably a more widespread vuln than being indicated. That's just my perspective as a Fortinet NSE8 Engineer.
I agree it's a vulnerability. Also on the client side, there is a singular checkbox in FortiClient for ignoring SSL VPN certs. When you select that, it means the client accepts ANY cert.

I would go one step further and say that IMO it's a requirement to at least pay $10/year for a cheap SSL certificate that validates properly for your SSL VPNs. It's kind of dumb that it's not OpenVPN style where the certificate bundle includes the expected public key of the server's self-signed certificate.
 
F

ForgottenSeer 89360

In a nutshell - Fortigate appliances themselves generate a certificate for VPN. The SSL-VPN only checks for a cert, and not actually if it is a non-locally generated cert. So in theory, someone could generate a cert from a $50 Fortigate Appliance on Ebay and MiTM these VPNs. Since there is no validation of the cert matching the issuing device, that random cheap Ebay purchased Fortinet as noted above, could generate certs to be used on any Fortinet VPN to MiTM the traffic with complete ease.

Contrary to what Fortinet says, I would consider this a vulnerability and in fact I would go out a bit more, and say this is gross negligence they aren't pairing locally generated certs on SSL's with the deployed device... Also since the default settings are rarely strayed from with the vast majority of these devices, it's probably a more widespread vuln than being indicated. That's just my perspective as a Fortinet NSE8 Engineer.
That’s one of the reasons why I stay away of Fortinet. Not only from their VPNs, but everything they offer. They came across as a company that tries to sell security in a business environment, but then doesn’t cover the security 101.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
That’s one of the reasons why I stay away of Fortinet. Not only from their VPNs, but everything they offer. They came across as a company that tries to sell security in a business environment, but then doesn’t cover the security 101.
Who do you prefer, out of curiosity? I usually deploy either Fortinet or Meraki, used to deploy Sophos more with UTM 9 but since they switched to XG and acquired CyberRoam the product has gone seriously downhill.

I don't particularly love the quality of Fortinet, but they do have a great combination of featureset and performance. They offer 2-3 appliances below the $700 price point that can deal with a gigabit WAN with some degree of IPS and web filtering / AV. Nobody else offers an appliance capable of gigabit within a similar price point.

Honestly I like the software polish and prompt security updates of Cisco Meraki a lot more but now that all my sites are gigabit capable, I simply cannot entertain the budget of $20,000USD/yr.
 
F

ForgottenSeer 89360

Who do you prefer, out of curiosity? I usually deploy either Fortinet or Meraki, used to deploy Sophos more with UTM 9 but since they switched to XG and acquired CyberRoam the product has gone seriously downhill.

I don't particularly love the quality of Fortinet, but they do have a great combination of featureset and performance. They offer 2-3 appliances below the $700 price point that can deal with a gigabit WAN with some degree of IPS and web filtering / AV. Nobody else offers an appliance capable of gigabit within a similar price point.

Honestly I like the software polish and prompt security updates of Cisco Meraki a lot more but now that all my sites are gigabit capable, I simply cannot entertain the budget of $20,000USD/yr.
I work with rather large budget and rely on McAfee Web Gateway. I’ve used many others, I used to like Sophos too. I’ve worked with cheaper companies, such as WatchGuard, but I guess you get what you pay for.
It all depends on budget and needs.
Fortinet has always been a hard no for me.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
I work with rather large budget and rely on McAfee Web Gateway. I’ve used many others, I used to like Sophos too. I’ve worked with cheaper companies, such as WatchGuard, but I guess you get what you pay for.
It all depends on budget and needs.
Fortinet has always been a hard no for me.
Yeah to clarify, I use Fortinet to protect home-ish networks. I think spending $3000-4000 USD/yr on licensing for home network security (2 homes) is already beyond what the average person does. If I were an IT professional I'd push for something like Palo Alto Networks instead. You're right, you get what you pay for. IMO Fortinet delivers decent bang-for-the-buck. Their "SoC4" chip is basically the only thing in the sub-$1000 price point that can do IPS of gigabit traffic. They certainly don't do everything well, but if that's your budget, there's not a lot of viable alternatives :(

I used to just build pfSense boxes and try to roll my own Suricata/Snort based security but based off my personal pentesting, they don't perform nearly as well as Fortinet's curated IPS and web filtering databases.


(FWIW it's worth noting that Fortinet sells their IPS and AV data to lots of higher end vendors, so they are an important contributor to overall cybersecurity even when their own products can have some questionable choices)
 
F

ForgottenSeer 89360

Yeah to clarify, I use Fortinet to protect home-ish networks. I think spending $3000-4000 USD/yr on licensing for home network security (2 homes) is already beyond what the average person does. If I were an IT professional I'd push for something like Palo Alto Networks instead. You're right, you get what you pay for. IMO Fortinet delivers decent bang-for-the-buck. Their "SoC4" chip is basically the only thing in the sub-$1000 price point that can do IPS of gigabit traffic. They certainly don't do everything well, but if that's your budget, there's not a lot of viable alternatives :(

I used to just build pfSense boxes and try to roll my own Suricata/Snort based security but based off my personal pentesting, they don't perform nearly as well as Fortinet's curated IPS and web filtering databases.


(FWIW it's worth noting that Fortinet sells their IPS and AV data to lots of higher end vendors, so they are an important contributor to overall cybersecurity even when their own products can have some questionable choices)
Yeah, for homish networks, Forinet might be excellent choice and even more than what you need.
In a business environment there are now so many players, it’s becoming difficult to make a choice.
There are many decent offerings, but I am strictly a McAfee person.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Yeah, for homish networks, Forinet might be excellent choice and even more than what you need.
In a business environment there are now so many players, it’s becoming difficult to make a choice.
There are many decent offerings, but I am strictly a McAfee person.
I'll have to look more into the McAfee offerings. I've been more intimately familiar with Cisco and PAN these days. Cisco has a commendably tuned IPS (custom Snort rules) and AMP is a great hybrid AV product. I think at the end of the day small businesses are really just bound by a budget, and I'd love for other vendors to target that price point. The Fortigate 61F is $600 for hardware and $1000/yr for full security licensing (AV, IPS, SSL inspection, reverse proxy, HTTPS accelerator, SSL and IPSec VPN) and does all of those things at 900mbps to 10gbps (6gbps IPSec VPN even with AES256-SHA512)... I think that's a price/performance benchmark no other vendor can hit.

I see a lot of small businesses buying small Watchguard/Sonicwall appliances then turning off almost all NGFW features and basically using it as a NAT router in order to achieve high throughput. That IMO is worse than using a Fortinet, even with all of its warts. I still keep my eye peeled for something better in the the low end space though.
 
F

ForgottenSeer 89360

I agree with you that FortiGate offers great value.
Many small businesses go for SonicWall and Symantec Endpoint Protection (here in the UK) and then configure poorly both of them...
They use SEP 12, when latest version is 14/15.
Many don’t know what EDR/XDR is unfortunately... until it’s already too late.
 
F

ForgottenSeer 58943

I don't use Fortinet, and haven't for quite some time. While Fortinet has many good points, such as the throughput on the IPS and Amazing Web Filtration, as well as reasonably low price to renew, I felt they started sacrificing real security into the hands of their marketing people. Their focus was on business acquisition more than security from what I witnessed there, as well as an ever encroaching intelligence complex intrusion into their company and culture. I hit the road, and with that, sold off all of my Fortinet gear. I don't even work in the UTM/Firewall/IT Security industry anymore but do something far more lucrative. But I will probably take a really early retirement and build a nice modern container home (Faraday) on a few acres in the north country of the USA and get away from it all.

Anyway..

I roamed around various UTM's.. Meraki, Untangle Juniper, Watchguard, Cyberoam, even some seriously hardened German brand. Ultimately none of them were to my liking, and all of that had their own set of issues. By the way, Watchguard uses Cylance now...

For home users the Gryphon product line is going to offer as tight, even tighter in some respects security. So personally I stick with that for my home, and deployed them all to my friends/family homes. So far their infection rate basically dropped to zero and I haven't been asked to come clean something up since. I'm good now, Gryphon and a Pi-Hole with a million items being blocked and some lockdowns and security on endpoints and I am happy with the results.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779

FWIW Fortinet has now promised that they'll do long term releases with high quality targeted updates for production, so something along the line of what I was suggesting though not as great. I think it's a step in the right direction. I get that SD-WAN appliances are such a competitive space that feature development is how you sell them, but at the same time, it's totally broken if admins are not willing to patch high severity vulnerabilities out of fear that a bundled feature change in a dot release breaks their network.
 
F

ForgottenSeer 58943

Based on my experience at Fortinet, toward the end of my tenure there they were almost entirely focused on the shareholders in my opinion. Less about security and privacy and more about dumping out new products, features, fancy words and colorful marketing to attract more sales.

This is what basically happens with many/most corporations I've been at. At least at some point. While they usually start off focused on quality and security with cutting edge engineers, working hard to win those tests and industry audits. Eventually they degrade to the point that they just want to market bigger, newer, and more colorful things as fast as possible without regard to anything else. All about the shareholder.

I personally, even has a Fortinet NSE8 engineer, would not use Fortinet products with what I know today. The days of me recommending any of their products and services has long passed. Remember, once a corporation gets to a certain size, and attracts certain types of leadership, it's all about the mighty dollar and pleasing the shareholders. I place little to no trust in major corporations anymore and always choose the scrappy small/medium businesses, startups, or LLC's.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top