There’s rumours flying around social media that Fortinet have another actively exploited zero day in FortiOS, which hasn’t been assigned a CVE again.
Same cycle - you might want to upgrade to latest release ASAP.
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 21-Dec-2024 05:25:51 JST 
Kevin Beaumont
-
Embed this notice
Ben Stewart (obsidi88@mstdn.social)'s status on Saturday, 21-Dec-2024 05:46:57 JST 
Ben Stewart
@GossiTheDog wait, another one? This isn't related to the fortiwlm? This is NEW?
-
Embed this notice
OSPF110 ☕ (ospf110@cyberplace.social)'s status on Saturday, 21-Dec-2024 06:06:54 JST 
OSPF110 ☕
@GossiTheDog No it's ok, I didn't really fancy this time off work I'm currently on 🙃
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 22-Dec-2024 06:09:00 JST
Kevin Beaumont
Okay, after some amateur reverse engineering - upgrade your FortiGate firewalls to latest version. What’s a pun for Deep Packet Inspection?
-
Embed this notice
João Tiago Rebelo (NAFO J-121) (jt_rebelo@ciberlandia.pt)'s status on Sunday, 22-Dec-2024 06:47:53 JST 
João Tiago Rebelo (NAFO J-121)
@GossiTheDog Deep InPack(e)t?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 22-Dec-2024 10:57:47 JST
Kevin Beaumont
Calling this one DerpGate
-
Embed this notice
Edgar Whelp (edgarwhelp@cyberplace.social)'s status on Sunday, 22-Dec-2024 11:02:16 JST 
Edgar Whelp
@GossiTheDog DerpiGate has more of a ring to it no? :-)
-
Embed this notice
Andrew Golding (huronbikes@cyberplace.social)'s status on Sunday, 22-Dec-2024 11:42:19 JST 
Andrew Golding
@GossiTheDog Derp Pocket Incision?
-
Embed this notice
CWooWoo (carly@cyberplace.social)'s status on Monday, 23-Dec-2024 23:23:05 JST 
CWooWoo
@GossiTheDog any more info on this please?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 23-Dec-2024 23:54:09 JST
Kevin Beaumont
As an update to FortiOS thing - fixes are out for all the Fortigate versions except 6.4.x branch which has no fix still.
End of support versions - 6.2 and below - also vulnerable but no fix as EOL.
It looks like fix started in branches almost a year ago and hasn't been documented.
Not terribly exciting and you should probably be eating mince pies instead.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 27-Dec-2024 16:54:39 JST
Kevin Beaumont
This is similarish to the Fortigate zero day, also being exploited -in case of Fortigate it's a non-management packet which causes FortiOS to run out of memory and enter failopen https://infosec.exchange/@screaminggoat/113722788663656122
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 27-Dec-2024 16:58:59 JST
Kevin Beaumont
Just to widen this out -- I'm aware of a telco which is experiencing denial of service using both vulns, an e-crime group has basically turned up with firewall non-management zero days which is another escalation.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 27-Dec-2024 17:38:40 JST
Kevin Beaumont
With the Palo-Alto one - if you run the exploit multiple times against a HA pair of Palo-Alto boxes, they both crash and don't reboot. Doesn't matter if you don't present DNSSEC to internet.
-
Embed this notice
Kal Feher (kalfeher@infosec.exchange)'s status on Friday, 27-Dec-2024 23:01:16 JST 
Kal Feher
@GossiTheDog unless I misread the cve this isnt related to DNSSEC the protocol extension at all. This is just PA checking dns, logging it and dying bc some bad words made it into the logs.
-
Embed this notice
Kal Feher (kalfeher@infosec.exchange)'s status on Saturday, 28-Dec-2024 00:38:27 JST
Kal Feher
@GossiTheDog yes I think that’s well understood.
But I wouldn’t conflate DNSSec which is a protocol extension and a subset of dns packet types, with a FW doing dns security things. Perhaps it was inadvertent or from a sloppy release, but for clarity general dns security, should not be referred to as dnssec. That will def confuse ppl -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 28-Dec-2024 01:33:25 JST
Kevin Beaumont
If anybody is dealing with the Palo Alto CVE-2024-3393 situation - they've neglected to mention they haven't yet released updates for the different impacted versions, so the temp mitigation is turn off logging in your anti-spyware policies if update isn't out yet.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 28-Dec-2024 01:35:29 JST
Kevin Beaumont
Also, if you want to know what an impacted box looks like, if you attach a cable to it, it looks like this
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 28-Dec-2024 01:52:36 JST
Kevin Beaumont
Tired: running network gear made a country with a proven track record in tech orgs can afford
Wired: rip and replace it with firewalls where a single bad packet can make a box unbootable because we're processing logs like it's 1994
-
Embed this notice
sortius (sortius@mastodon.social)'s status on Saturday, 28-Dec-2024 05:44:56 JST 
sortius
@GossiTheDog I get that the consumer gear is shite, and built like Swiss cheese, but how many in that price range aren't?
Commercial gear, though, seems fairly rock solid
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 28-Dec-2024 07:21:10 JST
Kevin Beaumont
Palo Alto updated their advisory, the DoS issue occurs on the Advanced Security license too, not just DNS Security license
-
Embed this notice
bash0ra (bash0ra@infosec.exchange)'s status on Saturday, 28-Dec-2024 20:51:53 JST 
bash0ra
@GossiTheDog is there such a known issue to fail open a Fortinet Firewall at the moment I have missed?
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Sunday, 29-Dec-2024 22:16:35 JST 
Ryan Castellucci :nonbinary_flag:
@GossiTheDog it seems like it ought to be cheaper to just reverse engineer the shit out of the gear to look for issues
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 03-Jan-2025 01:39:40 JST
Kevin Beaumont
A reminder about this thread for those returning from holiday
- if you're using Palo Alto firewalls and have DNS Security enabled on anti-spyware policies (you probably do) upgrade to the latest available release (you're running a supported release, right?) as a single DNS packet traversing the data plane (i.e. none management) causes the firewall to fail and fail to boot.
- if you're using Fortigate firewalls, upgrade to latest release (if on 6.4.15 or below, update to latest 7.x).
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 03-Jan-2025 01:43:00 JST
Kevin Beaumont
Also, since there's still confusion about the Fortigate issue - no, it isn't CVE-XYZ - no CVE is assigned still and there's still no advisory.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Jan-2025 00:11:31 JST
Kevin Beaumont
The FortiGate issue has an advisory now: https://www.fortiguard.com/psirt/FG-IR-24-266
And a CVE: CVE-2024-46670
Found by some guys at QI-ANXIN Group
There’s some eye raising stuff in it but anyhoo, patch. You probably already are since the patches were released a while ago.
It doesn’t need management interface access, if you can send IKE packets you can send one which triggers the firewall to consume 90% RAM and fail open some traffic and/or crash.
-
Embed this notice
hal8999 (hal8999@infosec.exchange)'s status on Wednesday, 15-Jan-2025 02:55:23 JST 
hal8999
@GossiTheDog Does somebody have a write-up on this?
-
Embed this notice
All GNU social JP content and data are available under the