Remote code execution vulnerability still not acknowledged by Fortinet after 10+  days’  exploitation.

FortiFAIL

What’s the craic? Zeljka Zorz reports: Fortinet releases patches for undisclosed critical FortiManager vulnerability

“Private disclosure”
Fortinet has released critical security updates … to fix a critical vulnerability that is reportedly being exploited by Chinese threat actors. … The company, which is known for pushing out fixes for critical vulnerabilities before disclosing their existence, … privately notified select customers a week ago.
…
Fortinet has still not publicly released a security advisory for this issue or assign it a CVE. … Time will tell whether their decision to keep this information close to the chest and engage in limited, private disclosure was correct.

And Dan Goodin adds: FortiGate admins report active exploitation 0-day. Vendor isn’t talking.

“Lack of transparency”
Fortinet, a maker of network security software, has kept a critical vulnerability under wraps for more than a week amid reports that attackers are using it to execute malicious code on servers used by sensitive customer organizations. Fortinet representatives didn’t respond … and have yet to release any sort of public advisory.
…
The lack of transparency is consistent with previous zero-days that have been exploited against Fortinet customers. [Fortinet] has a history of silently patching critical security vulnerabilities and disclosing them only after they’re widely exploited. [Its] opaqueness in responding to the zero-day comes as [CISO] Carl Windsor … in May [committed] to “being a role model in ethical and responsible product development and vulnerability disclosure.”

Wait. He said whatnow? Carl Windsor said it’s One Crucial Way Fortinet Strengthens Customer Security:

“Proactively modeling leadership”
Timely and ongoing communication with our customers is essential in our efforts to help protect and secure their organizations. … There are instances when confidential and advanced customer communications can include early warnings on advisories, enabling our customers to further strengthen their respective security postures before the advisory is released publicly. This continued commitment to responsible … disclosure empowers our customers to make informed, risk-based decisions about their security. Keeping customers up to date on vulnerabilities and patches is imperative to help protect their critical assets.
…
Such an approach significantly enhances the safety of the entire cybersecurity ecosystem. … We will continue leading the way, proactively modeling leadership [and] bringing “radical transparency” to our industry.

That’s some hilarious bizspeke wordsalad. Kevin Beaumont ain’t impressed, labeling the bug FortiJump:

Did you know there’s widespread exploitation of Fortinet products going on using a zero day, and that there’s no CVE? Now you do.
…
[I found it] back on October 13th. [I gave] Fortinet time to get things in order and to give defenders some mitigations. But, well, it’s been a while. I gather they’ve notified some customers via email, [but] many people in infosec didn’t get the email. … There’s still no CVE allocated. There’s still no reference to it on Fortinet’s PSIRT security advisory website. … There are some patches available, but not for all versions.
…
I’m not confident that Fortinet [is] protecting customers by not publicly disclosing a vulnerability. … This vulnerability has been under widespread exploitation for a while. It doesn’t protect anybody by not being transparent—except maybe themselves.

“Radical transparency” would include public IoCs, no? u/falcc41 helps us out where Fortinet failed:

Logging: Any event logging that indicates new unregistered/unauthorised devices being added. … These logs may look like:
type=event,subtype=dvm,pri=information,desc="Device,manager,generic,information,log", … msg="Unregistered device localhost add succeeded" device="localhost" … operation="Add device" performed_on="localhost" changes="Unregistered device localhost add succeeded"

Useful. Shame Fortinet didn’t publish this. And demonpaw adds more handy info:

Fortinet sent us last week an advisory (whose redistribution was prohibited). … We just upgraded to be safe from this RCE, but that broke the management of several of our Fortigates—sigh.
…
By the way, this affects only Fortimanager, a (virtual or hardware) appliance used to manage Fortigates (the firewalls). The Fortigates themselves are inmune to this bug, since it resides on the server daemon that Fortimanager uses to manage them.

This really doesn’t look good. Gilgwath takes a wider view:

I’d say they are hell bent on destroying their trust and reputation.
Then I remembered that they have nothing left to lose 😬

On the other hand, u/CautiousCapsLock stands up for Fortinet’s unusual interpretation of “transparency:”

Fortinet won’t make a public disclosure before a fix is out and applied to X% of affected products. Otherwise, they disclose, every malicious actor under the sun sees this and uses it against your kit before you have an opportunity to patch.

But the industry rejected that strategy decades ago. It’s proven to be worse than actual transparency. LauraW thinks Fortinet’s SoP is ridiculous:

Meanwhile, a slightly swearyCirio cuts to the chase:

I am so tired of Fortinet bull****. … How many intrusions are we gonna find years later that we’ll trace back to … this ****?

And Finally:

55.5 years ago

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: JJ Jordan (via Unsplash; leveled and cropped)