Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks

An anonymous reader shares a report: It's been a bad week for two of the world's biggest vendors of enterprise hardware and software -- Fortinet and Palo Alto Networks. The worst of the bunch is a credentials leak affecting Fortinet's FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients. Researchers from SEC Consult said in an advisory released this week that they've discovered a security issue that allows attackers to extract credentials for this VPN client. The second major security issue disclosed this week affects firewall products manufactured by Palo Alto Networks and running PAN-OS, the company's in-house operating system. Security researcher Philip Pettersson discovered that by combining three vulnerabilities together, he could run code on a Palo Alto firewall from a remote location with root privileges.

Re: Poor NSA

[Anonymous Coward]

I have a few good ones for Firepower... my favorite is a code injection in transparent mode that installs uCIP into the Ethernet driver and allows running a shell in the kernel. Works on Checkpoint too.

I donâ(TM)t have any for Juniper because I havenâ(TM)t bothered with BSD.

Re:

[Anonymous Coward]

You're full of crap. Hackers don't use shitty iPhones that fail basic ANSI punctuation.

Re:

[t0rkm3]

Nope. Palo Alto however...

I wouldn't touch Fortinet with someone else's ten foot pole. I was just pondering their suckritude a fortnite ago when I found that WatchGuard is still a brand.

Some things just should not be.

[In case someone wonders, no I do not consider Barracuda a security company. They are an airport and AM radio media marketing firm that subconsciously programs you to want cocaine in your coffee, or Monster energy drinks... whichever is closer]

Doesn't surprise me.

[Anonymous Coward]

I worked for FortiNet,
Their code is crap and they know it.

They are trying hard to rewrite most of it, but it's years of effort.

Re:Doesn't surprise me.

[TechyImmigrant]

I worked for FortiNet,
Their code is crap and they know it.

They are trying hard to rewrite most of it, but it's years of effort.

Fortunately it doesn't take years of effort to stop using their products.

Re:

[ccguy]

Fortunately it doesn't take years of effort to stop using their products.

Of course it does. Some of their clients are definitely not fast making decisions, implementing changes and so on.

Re: Doesn't surprise me.

[Brockmire]

No, that's fucking dumb. You test the shit out of it, fix bugs, and provide free updates without requiring support contracts. You rewrite it when you can't maintain it. Rewriting it is only going to lead to feature mismatch and new bugs. Your logic is very questionable.

Re:

[mvdwege]

Yeah, that's how you end up with crappy JunOS instead of just fine Netscreen OS.

Re: Doesn't surprise me.

[vwnlinux]

Itâ(TM)s actually kind of amazing. For a basic firewall, ScreenOS is so rock-solid stable and âoejust worksâ.
As nice as the Junos CLI is, itâ(TM)s a shame that Juniper killed ScreenOS.

Re: Doesn't surprise me.

[Brockmire]

Isn't there an iOS update to fix this shit? If there is, you're not being a good Apple.

Re: Doesn't surprise me.

[vwnlinux]

iOS 11.2.5 beta just dropped, so maybe, but I doubt it. Until it is, more hush and less drivel please.

Itâ(TM)s.

Re: Doesn't surprise me.

[Brockmire]

I was in an interview with Fortinet wireless dept over 2 years ago and something about security, NSA and Snowden came up. I forget the exact words, but one of the interviewers response was very sketchy where it sounded like he was inferring something hush hush. It was really strange and my takeaway was "sounds like backdoor".

Re:

[haruchai]

I worked for FortiNet,
Their code is crap and they know it.

They are trying hard to rewrite most of it, but it's years of effort.

Worse than Cisco's? That's quite a feat

Re:

[BronsCon]

To be fair, he's offering creimer a bit of entertainment and the opportunity (which he takes, of course) to be the bigger man and not shoot back. Kind of similar to how my pet trolls entertain me; but I prefer to feed mine, it keeps them around longer.

These are the companies that have the gall

[guruevi]

to charge $80,000 for a ~12 port gigabit Linux-based iptables server and not even modern, some of the older models run Kernel 2.2 and the newer ones 2.4.

Re:

[sexconker]

$80,000? We just dropped $17 million on a device and service contract (for 3 years?)...

Re:

[Anonymous Coward]

I think they probably like Wildfire and functional AppID that doesn't rely on crappy Cisco Firepower rules, and are probably fine with a three way handshake.

Re: These are the companies that have the gall

[Anonymous Coward]

Or the ones that know all about it but just dont have the time to be rolling their own solution (incl reporting, managing fingerprints for services, etc). Personally, Ive got way too many other things to be doing rather than keeping track of that stuff. Maybe if all I did was maintain a firewall, I could sustain the practice you seem to recommend.

Re: These are the companies that have the gall

[guruevi]

There are much better appliances out there that are both open, flexible and rather cheap. The fact you can get an extra tech for the yearly licensing per firewall is a reason not to choose them. The only reason you do is because they provide easy integration with certain black boxes you need if you have a carrier grade network.

Re:

[pacman on prozac]

Modern firewalls are better thought of as a server with dozens of different application proxies and Linux/iptables sat underneath it. They can intercept most protocols and in Palo's case pull files out of the streams and run virus checks or sandbox tests on them, for example SMB connections. That complexity will increase the attack surface, but that can be managed by keeping on top of updates and using layered security so the firewall isn't the only control. The benefits are huge especially in complex organ