PSIRT Blogs
Regarding the FBI - CISA/NCSC alerts of FortiGate SSL-VPN vulnerabilities being exploited in the wild
A recent FBI advisory outlined that foreign hackers had gained access to a local US municipal government network after exploiting vulnerabilities in an unpatched Fortinet networking appliance.
This advisory, however, was not the result of cybercriminals targeting a newly identified security issue. The sad fact is, fixes for these vulnerabilities had been shared with affected customers over two years ago. This and similar incidents highlight that the failure to patch vulnerable systems still represents one of the most critical security gaps in many organizations and is responsible for the vast majority of network breaches and data loss.
Since these vulnerabilities were first discovered, Fortinet has taken exhaustive steps to notify and educate customers, urging them repeatedly to upgrade their affected systems to the latest patch release. It’s a scenario software and firmware developers know all too well. Fortinet and organizations like the NCSC, FBI, and CISA have issued 15 separate notifications and advisories to Fortinet customers over the past two years, warning them of the risks of failing to update affected systems and providing links to critical patches:
Fortinet |
PSIRT Advisories |
May 24, 2019
|
|
NCSC & CSE |
Advisory |
July 16, 2019 |
|
Fortinet |
PSIRT Advisories |
July 26, 2019 |
|
Fortinet |
PSIRT Blog |
August 28, 2019 |
|
Fortinet |
Knowledgebase Article |
Technical Tip: Security vulnerabilities discussed at the BlackHat 2019 conference |
August 28, 2019 |
NCSC |
Advisory |
October 02, 2019 |
|
NCSC |
Weekly Threat Brief |
ATP-29 targeting vaccine research NCSC reiterate to patch VPNs |
June 12, 2020 |
Fortinet |
Advisory |
July 13, 2020 |
|
Fortinet |
Customer Support Bulletin |
July 16, 2020 |
|
Fortinet |
PSIRT Blog |
July 16, 2020
|
|
Fortinet |
Email Notification |
Follow-up email to all customers running insecure firmware |
November 17, 2020 |
Fortinet |
PSIRT Blog |
November 30, 2020 |
|
FBI |
Advisory |
May 27, 2021 |
|
FBI & CISA |
Advisory |
FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities |
April 02, 2021 |
Fortinet |
PSIRT Blog |
April 03, 2021 |
Like other vendors, we also incorporated this event into our ongoing learning and development experience, including amending several of our processes. We modified our published PSIRT policy to adhere even more closely to ISO standards. We adopted a monthly Patch Tuesday release model and established a notification service to support and encourage customers to adopt a more proactive risk management and mitigation process regarding potential vulnerabilities they may face.
However, despite these exhaustive communications efforts and process changes, recent briefings from government agencies—including the FBI Flash Alert MI-000148-MW posted on May 27, 2021, and the joint advisory from FBI and CISA posted on April 02, 2021—provide evidence that there are still unpatched devices in the wild being actively targeted by criminal organizations. This further highlights the risk taken by those organization that choose to abstain from vendor, industry, and governmental advice by not proactively updating their devices.
As a result, we are again reaching out to our customers to urge them to immediately follow the recommendations in the following advisories to mitigate this risk. The specific PSIRTs referenced in the most recent FBI Flash Alert advisory are:
FG-IR-19-037 / CVE-2019-5591
FG-IR-18-384 / CVE-2018-13379
FG-IR-19-283 / CVE-2020-12812
We also recommend that affected customers look at the Fortinet PSIRT website to assess the potential risks to your environment that could result from not running the latest version for your release train.
The security landscape is constantly evolving and maintaining all systems—especially security devices—is essential to stay ahead of cybercriminals. Like most vendors, Fortinet provides customers with support and regular firmware updates to fix issues such as those documented here. However, it remains clear that some organizations do not take advantage of these services and consistently critical patch systems.
There can be many reasons why patching may be deferred or not completed. The inability to take critical systems offline for patching due to safety or other concerns, onerous testing requirements for new updates, and even understaffed or inexperienced security teams can all play a role. Our online and local technical support experts are available to provide guidance. But for those running affected systems that cannot take immediate remediation steps, Fortinet recommends immediately disabling all SSL-VPN functions until updates can be applied.
At Fortinet, we are on a constant journey with our customers to best protect and secure their organizations. We welcome feedback on how we can better work together in this ongoing process. Please contact PSIRT via our Web Submission form if you have any suggestions or feedback.
You can also use this link to learn details about our current Fortinet PSIRT Policy and how to submit a potential vulnerability to the PSIRT team.