Time to Patch your Fortinet Fortgates ASAP (Don't sleep until it's done).

Forums › IT Pro and developers › Time to Patch your Fortinet Fortgates ASAP (Don't sleep until it's done).

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#311729 10-Feb-2024 13:07

https://www.cert.govt.nz/it-specialists/advisories/multiple-rce-vulnerabilities-affecting-fortios/

If you aren't using SSLVPN, just turn it off. Seriously. Check the KBs on Fortinets site on how to do this properly (it's actually 2-3 places to turn it off completely I believe).

1 | 2

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#3193251 10-Feb-2024 14:07

Completed all ours this morning I am so over patching FGs every other month because of this.

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#3193257 10-Feb-2024 14:28

nztim:
Completed all ours this morning I am so over patching FGs every other month because of this.

Same. Really annoyingly we paid extra for our clients to have the ability to batch patch via cloud console but after 90 minutes of saying schedule for now, they were still all the old version. Patched them manually but someone at Fortinet is getting a severe dressing down Monday. The local support through the distributor in NZ is rubbish now too, and it used to be first class.

I have no idea why Firewall vendors are so crap.

nztim

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#3193344 10-Feb-2024 17:05

networkn: ng a severe dressing down Monday. The local support through the distributor in NZ is rubbish now too, and it used to be first class.

I have no idea why Firewall vendors are so crap.

SonicWALL have also released a Zero Day too, Again SSL-VPN so over this, Probably the same underlining code in both firewalls.

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

kyhwana2

2572 posts

Uber Geek
+1 received by user: 233

#3193348 10-Feb-2024 17:18

networkn:

https://www.cert.govt.nz/it-specialists/advisories/multiple-rce-vulnerabilities-affecting-fortios/

If you aren't using SSLVPN, just turn it off. Seriously. Check the KBs on Fortinets site on how to do this properly (it's actually 2-3 places to turn it off completely I believe).

Also if you ARE using SSLVPN either patch it right now or turn it off.

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#3193366 10-Feb-2024 19:13

nztim:

networkn: ng a severe dressing down Monday. The local support through the distributor in NZ is rubbish now too, and it used to be first class.

I have no idea why Firewall vendors are so crap.

SonicWALL have also released a Zero Day too, Again SSL-VPN so over this, Probably the same underlining code in both firewalls.

Thanks, I wasn't aware of this. Remind me why I work in IT again? :) Looks like Sunday will suck.

DjShadow

4222 posts

Uber Geek
+1 received by user: 1322

ID Verified

Trusted

Subscriber

#3193370 10-Feb-2024 20:01

Saw the notification of this about 4pm yesterday, called our network vendor which was met with a "oh sh*t", patching completed by 9pm. Not a great thing to sort on a Friday.

AliExpress

Shop now on AliExpress (affiliate link).

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#3193686 10-Feb-2024 22:04

networkn:

I have no idea why Firewall vendors are so crap.

It's not just Firewall vendors.. pretty much ALL the leading enterprise vendors are not just crap, they are actively greedy and evil.

Dodgy sales tactics/anti competitive behaviour, huge markups, firmware/security updates locked behind paywalls, refusal to release source etc for "end of life" hardware (that often has years if not decades of life left in it) to force you to buy new gear. etc etc.

We need a "right to repair" for enterprise hardware forcing them to publicly provide the tools to roll your own firmware when they EOL a product. /rant

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#3193744 10-Feb-2024 22:48

I’m using a Fortigate 70F at home and it is patched but something that I’ve had pointed out to me by somebody is the 7.4.x firmware now has an additional check to confirm you have a subscription and if not blocks the upgrade:

Seeing they’re a security company this is outright irresponsible. I know plenty of people who have these in their homelab to learn how to use these products and yet Fortinet decide to now paywall their firmware leading to more people being made vulnerable.

Slowly becoming like Meraki.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#3193746 10-Feb-2024 23:57

To be fair, the cost of the most basic subscription which also extends your warranty is a couple of hundred a year or less.

What is far more problematic imo is the outrageous fees they charge for the full subscription. Costs more than the actual hardware did a few years ago.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#3193784 11-Feb-2024 03:52

Basically you purchase the hardware but never actually truly own it due to the subscription model (which is getting worse).

nztim

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#3193790 11-Feb-2024 07:51

networkn: To be fair, the cost of the most basic subscription which also extends your warranty is a couple of hundred a year or less.

What is far more problematic imo is the outrageous fees they charge for the full subscription. Costs more than the actual hardware did a few years ago.

I think the opposite.

I have no problems with the expensive subscription which provides corporates with Gateway AV DPI-SSL, IPS Protection, NetFlow, etc

I do have a problem with been charged for a yearly subscription for firmware updates when you are not using those features and just using the device as basic router.

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

nztim

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#3193792 11-Feb-2024 07:59

Lias:

It's not just Firewall vendors.. pretty much ALL the leading enterprise vendors are not just crap, they are actively greedy and evil.

Dodgy sales tactics/anti competitive behaviour, huge markups, firmware/security updates locked behind paywalls, refusal to release source etc for "end of life" hardware (that often has years if not decades of life left in it) to force you to buy new gear. etc etc.

We need a "right to repair" for enterprise hardware forcing them to publicly provide the tools to roll your own firmware when they EOL a product. /rant

In terms of EOL hardware Unifi is the worst, I have APs that are less that 3 years old which won't update anymore.

Aruba is reluctantly still releasing firmware updates for the instant products; I am sure after the AP-600 series that is going to move to Aruba central only.

Cisco Meraki have been doing it years, those devices become door stops if you don't keep up the sub or the product goes EOL

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#3193801 11-Feb-2024 09:37

nztim:

I do have a problem with been charged for a yearly subscription for firmware updates when you are not using those features and just using the device as basic router.

Well, that also includes warranty for another year. If the thing craps out, it's going to cost hugely more money than the relatively small fees for maintaing it's warranty.

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#3194093 11-Feb-2024 19:51

Weirdly I am quite happy with Cisco (Non Meraki which I agree is 💩) gear. I run my whole home based on it. Never had a problem finding the latest release on one of the myriad of different sites hosting a copy and Cisco kindly put the exact file name and MD5/SHA512 hash on their public site so I can confirm the file is legit.

Sure Murfs goes on about not getting gig over wifi but I only paid $10 for the AC APs 6 years ago and I recently did a change at home that I needed a power outage and they had an uptime of 500 days.

I’m really good with “stuff that works that doesn’t keep on getting major vulns and I can still find the latest versions without too much drama or needing a support contract for my home network”

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#3194099 11-Feb-2024 20:49

BarTender: Never had a problem finding the latest release on one of the myriad of different sites hosting a copy and Cisco kindly put the exact file name and MD5/SHA512 hash on their public site so I can confirm the file is legit.

I've not always found the exact one I'm after but yes.. I know what you mean. But we shouldn't have to resort to that for support, and once the device drops out of support there's nothing to be done.

Would it not be much better if every vendor was required to provide security updates free to anyone for the life of the device. That when the device becomes EOL/EOS hardware, they should be required to release the necessary files to allow people to build and flash their own firmware so that people can continue to provide community security updates. More secure internet. Less E-waste.. But less profit for vendors so they'll never do it unless they are forced to.

1 | 2