Yes, I’ve made a logo in crayon and named this FortiJump.
Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do.
I’ve even made a picture explaining!
Back on October 13th, I started a Mastodon thread for something I’d come across:
Kevin Beaumont (@GossiTheDog@cyberplace.social)
The thread is a bit wild, I didn’t know about the FortiNet private notification as I’m just an InfoSec pleb (InfoSec porg?) so had to fill in the details via Reddit later.
At the time, it turned out no patches were available, no CVE had been allocated, and they hadn’t decided to publicly document what was happening. I locked some of the thread to followers only, to give Fortigate time to get things in order and to give defenders some mitigations.
But, well, it’s been a while. I gather they’ve notified some customers via email — according to Reddit, many people in infosec didn’t get the email, and they’ve relied on my toots.
There’s still no CVE allocated.
There’s still no reference to it on FortiNet’s PSIRT security advisory website (which, also, stopped working over a day ago):
There are some patches available, but not for all versions. Where patches are available for certain releases, the resolved issue list is blank and there’s no mention of a security issue:
I’m not confident that FortiNet’s narrative that they’re protecting customers by not publicly disclosing a vulnerability is protecting customers. This vulnerability has been under widespread exploitation for a while. It doesn’t protect anybody by not being transparent… except maybe themselves, and any governments that don’t want to be embarrassed.
FortiNet’s last security team blog on their website includes a section titled “A Call to the Industry: Doing the Right Thing for the Security of our Society”, which is great! It talks about “transparent disc
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: