PSIRT Blogs

Prioritizing Patching is Essential for Network Integrity

By Carl Windsor | June 01, 2021

Regarding the FBI - CISA/NCSC alerts of FortiGate SSL-VPN vulnerabilities being exploited in the wild

A recent FBI advisory outlined that foreign hackers had gained access to a local US municipal government network after exploiting vulnerabilities in an unpatched Fortinet networking appliance. 

This advisory, however, was not the result of cybercriminals targeting a newly identified security issue. The sad fact is, fixes for these vulnerabilities had been shared with affected customers over two years ago. This and similar incidents highlight that the failure to patch vulnerable systems still represents one of the most critical security gaps in many organizations and is responsible for the vast majority of network breaches and data loss.

Since these vulnerabilities were first discovered, Fortinet has taken exhaustive steps to notify and educate customers, urging them repeatedly to upgrade their affected systems to the latest patch release. It’s a scenario software and firmware developers know all too well. Fortinet and organizations like the NCSCFBI, and CISA have issued 15 separate notifications and advisories to Fortinet customers over the past two years, warning them of the risks of failing to update affected systems and providing links to critical patches:

Fortinet Advisory Timeline

 

Fortinet 

PSIRT Advisories

FG-IR-18-384 / CVE-2018-13379

May 24, 2019

 

NCSC & CSE

Advisory

Advisory: APT29 targets COVID-19 vaccine development

July 16, 2019

Fortinet

PSIRT Advisories

FG-IR-19-037 / CVE-2019-5591

July 26, 2019

Fortinet

PSIRT Blog

FortiOS and SSL Vulnerabilities

August 28, 2019

Fortinet

Knowledgebase Article

Technical Tip: Security vulnerabilities discussed at the BlackHat 2019 conference

August 28, 2019

NCSC

Advisory

Vulnerabilities exploited in VPN products used worldwide

October 02, 2019

NCSC

Weekly Threat Brief

ATP-29 targeting vaccine research NCSC reiterate to patch VPNs 

June 12, 2020

Fortinet

Advisory

FG-IR-19-283 / CVE-2020-12812).

July 13, 2020

Fortinet

Customer Support Bulletin 

CSB-200716-1

July 16, 2020

Fortinet

PSIRT Blog

ATP 29 Targeting SSL VPN Flaws

July 16, 2020

 

Fortinet

Email Notification

Follow-up email to all customers running insecure firmware

November 17, 2020

Fortinet

PSIRT Blog

Update Regarding CVE-2018-13379

November 30, 2020

FBI

Advisory

FBI Flash MI-000148-MW

May 27, 2021

FBI & CISA

Advisory

FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities

April 02, 2021

Fortinet

PSIRT Blog

Patch and Vulnerability Management

April 03, 2021

Like other vendors, we also incorporated this event into our ongoing learning and development experience, including amending several of our processes. We modified our published PSIRT policy to adhere even more closely to ISO standards. We adopted a monthly Patch Tuesday release model and established a notification service to support and encourage customers to adopt a more proactive risk management and mitigation process regarding potential vulnerabilities they may face.

However, despite these exhaustive communications efforts and process changes, recent briefings from government agencies—including the FBI Flash Alert MI-000148-MW posted on May 27, 2021, and the joint advisory from FBI and CISA posted on April 02, 2021—provide evidence that there are still unpatched devices in the wild being actively targeted by criminal organizations. This further highlights the risk taken by those organization that choose to abstain from vendor, industry, and governmental advice by not proactively updating their devices.

As a result, we are again reaching out to our customers to urge them to immediately follow the recommendations in the following advisories to mitigate this risk. The specific PSIRTs referenced in the most recent FBI Flash Alert advisory are:

FG-IR-19-037 / CVE-2019-5591
FG-IR-18-384 / CVE-2018-13379
FG-IR-19-283 / CVE-2020-12812

We also recommend that affected customers look at the Fortinet PSIRT website to assess the potential risks to your environment that could result from not running the latest version for your release train.

Security Hygiene is Step One. We’re Here to Help

The security landscape is constantly evolving and maintaining all systems—especially security devices—is essential to stay ahead of cybercriminals. Like most vendors, Fortinet provides customers with support and regular firmware updates to fix issues such as those documented here. However, it remains clear that some organizations do not take advantage of these services and consistently critical patch systems.  

There can be many reasons why patching may be deferred or not completed. The inability to take critical systems offline for patching due to safety or other concerns, onerous testing requirements for new updates, and even understaffed or inexperienced security teams can all play a role. Our online and local technical support experts are available to provide guidance. But for those running affected systems that cannot take immediate remediation steps, Fortinet recommends immediately disabling all SSL-VPN functions until updates can be applied.

At Fortinet, we are on a constant journey with our customers to best protect and secure their organizations. We welcome feedback on how we can better work together in this ongoing process. Please contact PSIRT via our Web Submission form if you have any suggestions or feedback.

You can also use this link to learn details about our current Fortinet PSIRT Policy and how to submit a potential vulnerability to the PSIRT team. 

Tags: