336,000 Servers Remain Unpatched Against Critical Fortigate Vulnerability (arstechnica.com) 23
An anonymous reader quotes a report from Ars Technica: Researchers say that nearly 336,000 devices exposed to the Internet remain vulnerable to a critical vulnerability in firewalls sold by Fortinet because admins have yet to install patches the company released three weeks ago. CVE-2023-27997 is a remote code execution in Fortigate VPNs, which are included in the company's firewalls. The vulnerability, which stems from a heap overflow bug, has a severity rating of 9.8 out of 10. Fortinet released updates silently patching the flaw on June 8 and disclosed it four days later in an advisory that said it may have been exploited in targeted attacks. That same day, the US Cybersecurity and Infrastructure Security Administration added it to its catalog of known exploited vulnerabilities and gave federal agencies until Tuesday to patch it.
Despite the severity and the availability of a patch, admins have been slow to fix it, researchers said. Security firm Bishop Fox on Friday, citing data retrieved from queries of the Shodan search engine, said that of 489,337 affected devices exposed on the internet, 335,923 of them -- or 69 percent -- remained unpatched. Bishop Fox said that some of the vulnerable machines appeared to be running Fortigate software that hadn't been updated since 2015. "Wow -- looks like there's a handful of devices running 8-year-old FortiOS on the Internet," Caleb Gross, director of capability development at Bishop Fox, wrote in Friday's post. "I wouldn't touch those with a 10-foot pole."
Despite the severity and the availability of a patch, admins have been slow to fix it, researchers said. Security firm Bishop Fox on Friday, citing data retrieved from queries of the Shodan search engine, said that of 489,337 affected devices exposed on the internet, 335,923 of them -- or 69 percent -- remained unpatched. Bishop Fox said that some of the vulnerable machines appeared to be running Fortigate software that hadn't been updated since 2015. "Wow -- looks like there's a handful of devices running 8-year-old FortiOS on the Internet," Caleb Gross, director of capability development at Bishop Fox, wrote in Friday's post. "I wouldn't touch those with a 10-foot pole."
Can't win (Score:4, Insightful)
User controls updates: No! Now we have thousands of vulnerable machines online!
Automatic updates: No! I decide when I'm not going to update my critical infrastructure!
...Because It's 'Pick Your Poison' (Score:4, Insightful)
The problem is deeper, and there are no really good solutions.
The reason why "auto update everything" is less desirable than it used to be is because updates tend to be monolithic. None of these vendors believe in isolating security updates anymore, they come with UI changes or feature depreciations (Oblig XKCD [xkcd.com]) and bugs of their own, so there's always math regarding whether the security concerns outweigh the workflow changes...and since these sorts of security patches are unscheduled by definition, auto updates will make those sorts of changes random, and urgent. This has happened with Windows 10 and 11 several times over the past few years.
Back in the early releases of Sonicwall's SonicOS 7, there were issues with NativeBridge mode that persisted for a few revisions after; fortunately there weren't any massive security vulnerabilities I'm aware of, but we had clients running year-old firmware because their networks broke if we ran anything newer than RTM for the longest time.
Meanwhile, we have the "who pays for them" problem to solve. One might understand "there's no such thing as perfect code", while also taking exception to buying hardware that shipped with a 9.8 security vulnerability. Patches are how we deal with this, but if patches are paywalled, they don't get installed if the renewal cost is too high...so, appliances keep running vulnerable hardware.
This lends credence to the Meraki model, where you know your stuff is getting patched because if a router does not have active support, it's not routing...but then we end up with hardware that's DRM'd to the point of preventing functional hardware from, well, functioning, bringing with it unnecessary e-waste *and* further advances the "you will own nothing and be happy about it" mentality where everything is a subscription.
So, I'm hard pressed to figure out what the best case scenario is here.
Re: (Score:2)
The problem is one step before: Vendor: Does not have any liability and hence does a lot of stuff cheaper than possible.
I mean, come on. A frigging Heap Overflow in security software? Those can be avoided by sound coding practices and can be found both with fuzz-testing and code-scanners like Fortify. Obviously, nobody at Crapinet cared enough.
Re: (Score:1)
Re: (Score:2)
User controls updates: No! Now we have thousands of vulnerable machines online!
Legally, they should be fair game to knock offline after a two week grace period.
IT Outsourcing (Score:4, Insightful)
2. Execs fire the entire IT team
3. Company hacked via unpatched firewall
Re: (Score:2)
This is missing a critical step:
4. Execs become personally liable because of gross negligence.
Unless and until we get something like that, things will be getting worse in the IT security space.
Is it fair that you have to pay for the patch? (Score:5, Informative)
Re:Is it fair that you have to pay for the patch? (Score:5, Interesting)
FortiNet changed the firmware downloads to paywalled/support contract required a few months ago. This change meant that it was only a matter of time before huge numbers of out-of-support SMBs and HomeLabs fell prey to a vulnerability like this for which the only respite was to buy a support contract to get access to the fix.
This marks the end of my days as a FortiGate user. They practically gave away fortigates to advanced users and partners who wanted to get competent with the technology, but those days are over and they are now forced to milk that userbase.
Im not sure if I will go to Palo-Alto or back to FOSS firewalls, but since most of the interesting features of the big kids require cloud subscriptions to keep abreast of signatures and threat actors, it becomes more a matter of who is patching the table-stakes vulnerabilities in a timely fashion and not making the casual owner of hardware feel like they are being offered a protection racket style deal to keep the thugs out.
Most orgs have to rethink self-management (Score:5, Interesting)
Small organizations, especially, simply can't afford to roll their own. If you want to, you need to set aside the cost to employ at least one person that knows what they're doing, and can keep up with patch cycles. So, at minimum, $150,000 (salary plus everything else). For plenty of small companies, that's their whole annual profit margin... gone.
Moving toward completely managed services is the answer for most. It's a hard uplift if you've got your own functioning data centre, less so if your needs are more modest. But the days of putting a box between your company and the internet and forgetting about it are gone.
The internet and the legal system share an annoying feature. Both have grown into ecosystems so complex that you need expensive people to engage in them - or to protect you from others in the same profession - and both have managed to make themselves necessary to conduct business. Somehow both groups of professionals (mostly) avoid the perception of being completely parasitic.
Re: (Score:2)
... But the days of putting a box between your company and the internet and forgetting about it are gone...
Those days never existed, or if they did, you were already doing it wrong. A firewall is a living breathing thing, and if you neglect it, it will fail you as surely as you failed it.
Putting it in the cloud does nothing to change that basic fact. And saying it makes it someone else's responsibility is patently bullshit. Even if it WAS their responsibility, it is still YOUR house in front of the fan when the crap starts flying.
Re: (Score:2)
Use cases used to commonly be simple enough that you could mostly neglect such systems. You might need to do an update occasionally, but that stuff was simple. The software didn't do much. Now the software is complicated, so the upgrades tend to be complicated as well. It's not just dump your config, maybe change some interface names, and upload it any more.
Re: (Score:2)
That's not reasonable. The whole point of purchasing the service is to make it somebody else's responsibility. That's like saying that, despite having a monitored alarm installed in your home, you're negligent if you don't also hire an onsite security guard.
Cloud (Score:3)
For all the people who regularly complain about the insanity of moving your organization to the cloud... this is one of the reasons why.
Keeping critical infrastructure updated and functional takes a lot of work. Especially for smaller organizations this means unpatched and potentially even forgotten services.
Re: (Score:3)
And you somehow are under the illusion that cloud systems do not need to be kept current? They do. And the process is not any less problematic for the users.
Now, when the cloud vendor messes up an update you are just more helpless because you cannot even rip out that Crapigate and replace it with something better. On the other hand, the cloud vendor is hopefully under more pressure to fix things. Whether that is a trade-off that works out remains to be seen, but I know of folks that have moved out of the cl
Re: (Score:2)
Of course cloud systems need to be kept current. The difference is it's much easier for cloud vendors, economically and culturally, to do so.
If you're a company who builds widgets, even software widgets, then that's what you focus on, and everything else, including IT, is a costly distraction. This means server updates will always be come second to widget production and maintenance.
Maybe you have a sysadmin or two, or more, since things happen*, who should ensure all that stuff is fully up to date and funct
Re: (Score:2)
Cloud - Someone else's computer - that they control in part and you control in part ... this is just outsourced IT but moreso ...
Re: (Score:2)
And were you are screwed if they do something you did not expect or cannot fix.
Re: (Score:2)
This is silly. Don't bring the car to a mechanic because they might not fix it right. Do it yourself, even under warranty. Don't go to a doctor for your hernia operation, buy a scalpel, a set of mirrors, and a textbook and do it yourself. They might screw it up.
You buy professional services so you don't have to buy professionals.
honeypots (Score:2)
> looks like there's a handful of devices running 8-year-old FortiOS on the Internet
Things are not always what they seem to be. Welcome to the observation deck, where you are the spectacle.
Vulnerable if SSL-VPN is enabled (Score:1)
The posted work around is to disable SSL-VPN. Likely not all of these have that feature enabled.