Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


networkn

Networkn
30596 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

#311729 10-Feb-2024 13:07
Send private message quote this post

https://www.cert.govt.nz/it-specialists/advisories/multiple-rce-vulnerabilities-affecting-fortios/

 

 

 

If you aren't using SSLVPN, just turn it off. Seriously. Check the KBs on Fortinets site on how to do this properly (it's actually 2-3 places to turn it off completely I believe).

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
nztim
3017 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #3193251 10-Feb-2024 14:07
Send private message quote this post

Completed all ours this morning I am so over patching FGs every other month because of this.

 

 





Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 


 
 
 

You will find anything you want at MightyApe (affiliate link).
networkn

Networkn
30596 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #3193257 10-Feb-2024 14:28
Send private message quote this post

nztim:

Completed all ours this morning I am so over patching FGs every other month because of this.


 



Same. Really annoyingly we paid extra for our clients to have the ability to batch patch via cloud console but after 90 minutes of saying schedule for now, they were still all the old version. Patched them manually but someone at Fortinet is getting a severe dressing down Monday. The local support through the distributor in NZ is rubbish now too, and it used to be first class.

I have no idea why Firewall vendors are so crap.

nztim
3017 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #3193344 10-Feb-2024 17:05
Send private message quote this post

networkn: ng a severe dressing down Monday. The local support through the distributor in NZ is rubbish now too, and it used to be first class.

I have no idea why Firewall vendors are so crap.

 

SonicWALL have also released a Zero Day too, Again SSL-VPN so over this, Probably the same underlining code in both firewalls.





Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 




kyhwana2
2560 posts

Uber Geek


  #3193348 10-Feb-2024 17:18
Send private message quote this post

networkn:

 

https://www.cert.govt.nz/it-specialists/advisories/multiple-rce-vulnerabilities-affecting-fortios/

 

 

 

If you aren't using SSLVPN, just turn it off. Seriously. Check the KBs on Fortinets site on how to do this properly (it's actually 2-3 places to turn it off completely I believe).

 

 

 

 

Also if you ARE using SSLVPN either patch it right now or turn it off.

 

 


networkn

Networkn
30596 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #3193366 10-Feb-2024 19:13
Send private message quote this post

nztim:

 

networkn: ng a severe dressing down Monday. The local support through the distributor in NZ is rubbish now too, and it used to be first class.

I have no idea why Firewall vendors are so crap.

 

SonicWALL have also released a Zero Day too, Again SSL-VPN so over this, Probably the same underlining code in both firewalls.

 

 

Thanks, I wasn't aware of this. Remind me why I work in IT again? :) Looks like Sunday will suck.

 

 


DjShadow
3967 posts

Uber Geek

ID Verified
Trusted

  #3193370 10-Feb-2024 20:01
Send private message quote this post

Saw the notification of this about 4pm yesterday, called our network vendor which was met with a "oh sh*t", patching completed by 9pm. Not a great thing to sort on a Friday.


Lias
5352 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #3193686 10-Feb-2024 22:04
Send private message quote this post

networkn: 

 

I have no idea why Firewall vendors are so crap.

 

It's not just Firewall vendors.. pretty much ALL the leading enterprise vendors are not just crap, they are actively greedy and evil.

 

Dodgy sales tactics/anti competitive behaviour, huge markups, firmware/security updates locked behind paywalls, refusal to release source etc for "end of life" hardware (that often has years if not decades of life left in it) to force you to buy new gear. etc etc.

 

We need a "right to repair" for enterprise hardware forcing them to publicly provide the tools to roll your own firmware when they EOL a product. /rant





I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.




michaelmurfy
meow
12516 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3193744 10-Feb-2024 22:48
Send private message quote this post

I’m using a Fortigate 70F at home and it is patched but something that I’ve had pointed out to me by somebody is the 7.4.x firmware now has an additional check to confirm you have a subscription and if not blocks the upgrade:

 

 

Seeing they’re a security company this is outright irresponsible. I know plenty of people who have these in their homelab to learn how to use these products and yet Fortinet decide to now paywall their firmware leading to more people being made vulnerable. 

 

Slowly becoming like Meraki. 





Michael Murphy | https://murfy.nz
Referral Links: Octopus Energy ($50 Credit) | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


networkn

Networkn
30596 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #3193746 10-Feb-2024 23:57
Send private message quote this post

To be fair, the cost of the most basic subscription which also extends your warranty is a couple of hundred a year or less.

What is far more problematic imo is the outrageous fees they charge for the full subscription. Costs more than the actual hardware did a few years ago.

michaelmurfy
meow
12516 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3193784 11-Feb-2024 03:52
Send private message quote this post

Basically you purchase the hardware but never actually truly own it due to the subscription model (which is getting worse).





Michael Murphy | https://murfy.nz
Referral Links: Octopus Energy ($50 Credit) | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


nztim
3017 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #3193790 11-Feb-2024 07:51
Send private message quote this post

networkn: To be fair, the cost of the most basic subscription which also extends your warranty is a couple of hundred a year or less.

What is far more problematic imo is the outrageous fees they charge for the full subscription. Costs more than the actual hardware did a few years ago.

 

I think the opposite.

 

I have no problems with the expensive subscription which provides corporates with Gateway AV DPI-SSL, IPS Protection, NetFlow, etc

 

do have a problem with been charged for a yearly subscription for firmware updates when you are not using those features and just using the device as basic router.

 

 





Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 


nztim
3017 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #3193792 11-Feb-2024 07:59
Send private message quote this post

Lias:

 

It's not just Firewall vendors.. pretty much ALL the leading enterprise vendors are not just crap, they are actively greedy and evil.

 

Dodgy sales tactics/anti competitive behaviour, huge markups, firmware/security updates locked behind paywalls, refusal to release source etc for "end of life" hardware (that often has years if not decades of life left in it) to force you to buy new gear. etc etc.

 

We need a "right to repair" for enterprise hardware forcing them to publicly provide the tools to roll your own firmware when they EOL a product. /rant

 

 

In terms of EOL hardware Unifi is the worst, I have APs that are less that 3 years old which won't update anymore.

 

Aruba is reluctantly still releasing firmware updates for the instant products; I am sure after the AP-600 series that is going to move to Aruba central only.

 

Cisco Meraki have been doing it years, those devices become door stops if you don't keep up the sub or the product goes EOL

 

 

 

 





Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 


networkn

Networkn
30596 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #3193801 11-Feb-2024 09:37
Send private message quote this post

nztim:

 

I do have a problem with been charged for a yearly subscription for firmware updates when you are not using those features and just using the device as basic router.

 

 

Well, that also includes warranty for another year. If the thing craps out, it's going to cost hugely more money than the relatively small fees for maintaing it's warranty.


BarTender
3536 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #3194093 11-Feb-2024 19:51
Send private message quote this post

Weirdly I am quite happy with Cisco (Non Meraki which I agree is 💩) gear. I run my whole home based on it. Never had a problem finding the latest release on one of the myriad of different sites hosting a copy and Cisco kindly put the exact file name and MD5/SHA512 hash on their public site so I can confirm the file is legit.

Sure Murfs goes on about not getting gig over wifi but I only paid $10 for the AC APs 6 years ago and I recently did a change at home that I needed a power outage and they had an uptime of 500 days.

I’m really good with “stuff that works that doesn’t keep on getting major vulns and I can still find the latest versions without too much drama or needing a support contract for my home network”





and


Lias
5352 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #3194099 11-Feb-2024 20:49
Send private message quote this post

BarTender:  Never had a problem finding the latest release on one of the myriad of different sites hosting a copy and Cisco kindly put the exact file name and MD5/SHA512 hash on their public site so I can confirm the file is legit.

 

I've not always found the exact one I'm after but yes.. I know what you mean. But we shouldn't have to resort to that for support, and once the device drops out of support there's nothing to be done. 

 

Would it not be much better if every vendor was required to provide security updates free to anyone for the life of the device. That when the device becomes EOL/EOS hardware, they should be required to release the necessary files to allow people to build and flash their own firmware so that people can continue to provide community security updates. More secure internet. Less E-waste.. But less profit for vendors so they'll never do it unless they are forced to. 





I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Synology Introduces BeeStation
Posted 23-Feb-2024 14:14


New One UI 6.1 Update Brings Galaxy AI to More Galaxy Devices
Posted 23-Feb-2024 10:50


Amazon Echo Hub Available in New Zealand
Posted 23-Feb-2024 10:40


InternetNZ Releases Internet Insights 2023
Posted 20-Feb-2024 10:31


Seagate Adds 24TB IronWolf Pro Hard Drives for Multi-user Commercial and Enterprise RAID Storage Solutions
Posted 19-Feb-2024 16:54


Seagate Skyhawk AI 24TB Elevates Edge Security Capacity and Performance
Posted 9-Feb-2024 17:18


GoPro Releases Quik Desktop App for macOS and Introduces Premium+ Subscription Tier
Posted 9-Feb-2024 17:14


Ring Introduces New Ring Battery Video Doorbell Pro
Posted 9-Feb-2024 16:51


Galaxy AI Transforms the new Galaxy S24 Series
Posted 18-Jan-2024 07:00


D-Link launches AI-Powered Aquila Pro M30 Wi-Fi 6 Mesh Systems
Posted 17-Jan-2024 20:02


Newest LG 4K Lifestyle Projector Doubles as Art Objet
Posted 9-Jan-2024 15:50


More LG Smart TV Owners Set To Enjoy the Latest webOS Upgrade
Posted 9-Jan-2024 15:45


Panasonic Announces the Z95A and Z93A With Fire TV Built In
Posted 9-Jan-2024 15:30


Amazon Echo Pop Review
Posted 8-Jan-2024 14:22


Samsung Tab S9 FE Review
Posted 17-Dec-2023 08:26









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac