Fortinet’s week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim

Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim

February 9, 2024 at 09:38AM

Summary:
Fortinet faced a series of security vulnerabilities impacting FortiOS, including a critical SSL VPN issue. Users were urged to upgrade to patched versions, with specific guidelines for affected FortiOS versions. Fortinet’s delayed and confusing response to vulnerability disclosures drew criticism. Additionally, an unusual incident involving a toothbrush DDoS attack and a dispute between Fortinet and a Swiss newspaper created further challenges.

Summary of Meeting Notes:

– Major security vulnerability in FortiOS impacting SSL VPN has been disclosed, tracked as CVE-24-21762, with evidence of zero-day exploitation.
– Urgent patching of vulnerable VPNs is advised, as the vulnerability is easily exploitable and impacts various versions of FortiOS, including unsupported ones.
– Workarounds are limited, with the only recommended option being to disable the SSL VPN; disabling webmode won’t mitigate the vulnerability.
– Other critical vulnerabilities, including CVE-2024-23113, have been disclosed but not exploited in the wild.
– Confusing double bug disclosure by Fortinet raised concerns and resulted in delayed and inadequate responses, causing frustration for the media.
– Fortinet issued conflicting statements regarding new vulnerabilities, leading to confusion and frustration among media and security researchers.
– The vendor also faced a communication issue related to a reported DDoS incident involving malware-laden toothbrushes, with conflicting accounts from the media and Fortinet representatives.
– Fortinet’s public relations team is likely working to address the fallout from these issues.

Please let me know if you need further assistance or additional information.

Full Article