Patch and Vulnerability Management

By Carl Windsor | April 03, 2021

In May 2019, Fortinet issued a PSIRT advisory regarding an SSL vulnerability that had been identified by a third party research team and which we resolved. As part of this process, we issued a Customer Support Bulletin (CSB-200716-1) to highlight the need for customers to upgrade their affected systems. We also published a blog about this for our customers in August 2019 when this vulnerability was made public post-resolution at Black Hat in August 2019. Over a year later , the UK NCSC shared that these same vulnerabilities were still being targeted in the wild, and we published another blog in July 2020 and then another in November 2020 with the goal of continuing to educate and communicate with our customers. We also reached out via email to all customers still running the affected firmware, which by that time had been fixed for over 15 months, to again educate them about their risks and to urge these customers to upgrade affected solutions.

As part of our ongoing learning experience, we also changed several of our processes, including adjusting our PSIRT policy to more closely adhere to ISO standards, moving to a Monthly Patch Tuesday release model, and by adding a notification service to support and encourage our customers to adopt a more proactive risk management and mitigation process when it comes to potential vulnerabilities they may face.

Despite these ongoing communications efforts and process changes, the joint advisory from FBI and CISA that posted on April 2, 2021 provides evidence that there are still unpatched devices in the wild being abused, and highlights the risk of end users not proactively updating appliances. As a result, we are again reaching out to our customers to recommend that they immediately follow the recommendations in the following advisories to mitigate this risk. The specific PSIRTs referenced in the advisory are:

FG-IR-19-037 / CVE-2019-5591
FG-IR-18-384 / CVE-2018-13379
FG-IR-19-283 / CVE-2020-12812

We also recommend that if you are not running the latest release for your release train, that you look at the Fortinet PSIRT Website to assess the potential risks that this could pose in your environment.

At Fortinet, we are on a constant journey with our customers to best protect and secure their organizations. We welcome feedback from our customers on how we can better work together in this ongoing process. Please contact PSIRT via our Web Submission form if you have any suggestions or feedback.

You can also use this link for details of the current Fortinet PSIRT Policy and how to submit a potential vulnerability.