FortiGate Firewalls Still Unpatched
Researchers at Bishop Fox say that more than 330,000 FortiGate firewalls remain unpatched against a known critical heap-based buffer overflow vulnerability; Fortinet released updates to address the flaw last month.
The headline should probably read that these firewalls area likely already compromised. Patching them may not suffice.
That figure means only about 31% of internet exposed FortiGate devices have been patched in the three-and-a-half weeks or so since Fortinet released the patch. “Time at known risk” is something that needs to be decreasing. If limited downtime windows are the reason (vs. just not noticing the risk), time to escalate to management that one incident will overcome years of availability gained from shortened changed windows.
The flaws affects devices with VPN enabled, so there is a likely chance some of these are not running the VPN. The trick here is that the vulnerable code is present even if the VPN is not used, necessitating an update. The narrowness of the flawed services allows you to test the update before going to production, but you still need to keep moving forward. If you haven't recently, you may want to run a Shodan search for devices in your address space you might have missed.
The first thing I do when I see the headlines is make sure I had the latest version of the firmware on a FortiGate I have. Now that this is out of the way, I must say a few things. First, it’s hard to figure out when to patch these things. It’s not automatic, and it’s ad-hoc. It also can break; I had one of my settings breaks after an upgrade. I understand why the administrators are not patching because they may not be aware and maybe concerned about a big outage. This is, however, concerning that the number mentioned is 336,000. It’s also concerning that it's an attack on VPN. If this is true, I can only imagine that hundreds of thousands of companies could be completely owned by now. I hope that is not the case and this is just based on old Shodan data. If this is true and the numbers hold up. Expect a lot of breaches in the upcoming months (years?).
Well this is depressing news: fully two-thirds of FortiGate firewalls not yet been patched a month after the fix was released. If cyber criminals haven’t already, they will certainly read Bishop Fox’s blog and take advantage of those organizations that fail to patch the vulnerability lurking in their infrastructure.