Understanding Fortinet's Legacy of Security Flaws From Magic Back Door to XORtigate CVE-2023-27997

I'm a fortinet fan, but I'm getting fed up with these lack of response to obvious CVE failures on the part of FortiNet. I appreciate you Tom for shining more light on these problems.

spyrule

As someone that works with Fortinet products regularly, you are spot on Tom. There is an established history and they need to mitigate it by doing a code audit.

SureshotCyclonus

This anecdotally reminds of that time, when Netgate added wireguard support in 22.05 (AFAIK). When it was discovered that the code for the wireguard package wasn't up to the industry standards, Netgate removed it altogether for a major rewrite, and re-released it much, much later. Interesting that Netgate could do this, albeit being a smaller player than Fortinet.

sergeitokarev

So I deployed about 18 of them last Friday. The literal day this CVE came out. Physically drove out to all the sites, replaced onsite stuff, installed, etc....only to drive back to the office and get a CVE notification a few hours later. Sometimes, you're just cursed. 🤣

chloefletcher

We utilize a Fortinet in the environment I manage at work. I’ve been following the VPN exploits for a period and ultimately decided to disable VPN on our firewall. Currently we utilize Rvnc to remote into our network, although this is setup by a case by case basis.

It’s a temporary hold over until Fortinet addresses this properly, or we wait until our license lapses, and move to another product.

Being a brand advocate has never been a positive experience, and this is just another example in a near infinite number of cases where being as such results in egg on one’s face.

Thanks for the video Tom.

ltur

Thanks very much for making us all aware about this.

knomad

Glad I found this! I'll be patching tonight.

cparker

This is the exact same problem with Checkpoint. You will see bugs fixed and later reintroduced. For e.g. r80(bugs found) > r80.1 (bugs fixed) > r80.2 (bugs reintroduced). I agree with you - these large companies have the budget and should be able to rewrite the code, but profit is more important over security. When will they ever learn!!

lonehunter

I've updated the firmwares at work a couple of days ago. Seems never ending of these security issues. One of the reasons why I shutdown SSL-VPN back in December and glad I did. What kills me why the web part is accessible to the internet when my users don't need to use it long as they have the client installed? There is no way to turn that part off without turning off SSL-VPN entirely.

Fortinet needs to spend more time going through their code vs just releasing new features for the sake of marketing. I'll be investing more into pfsense for our Enterprise environment.

Darkk

I used to manage a fleet of fortigates and when we where migrating settings the team was like for liking setting up the PaloAlto’s and the palo would not commit . As the senior guy I would look at the issue and it was always some typo that the fortigate took and some how worked, but it was not correct. I think fortinet codes around every stupid helpdesk ticket they received. I much prefer the hard reality of Palo Alto’s . If you do something incorrect, it’s just not going to work or not even commit .

This easy one thing . It was many times .

ChristopherThornton

Im a Forti-Fan as well... This video saddens me though, SSL VPN, BIG CVE... AGAIN... I very much hope Fortinet comes to similar conclusions RE:Code Base Audit starting with all world facing services their devices can host.

eece

Tom, you forgot to wage in on whether the company is lead by marketing or developers. That’s could be their root problem. SSE is all the rage (diluted from SISE)and I’m sure Forti don’t want to lag behind!! I can hear the marketing team, but Palo Alto is doing this, but Cisco is doing that!!!

bzmrgonz

Tom, you said it "the history speaks for itself". Awesome video and thanks for your input. As far as I am concerned, every Fortinet customer is just a future Netgate/pfsense customer.

parl-

I’m new to Fortinet. Just purchased my first FortiGate, a 40F to try out and learn from. Not sure what to think when I listen to this 🤔

MR-vjdn

Probably the SSL VPN developer group... That's what almost all of these critical vulnerabilities are found in

xephael

No Firewall is perfect, but some are alot less not perfect than others, amazing how many people will just blindly say X is best and you shouldn't use anything else

JimtheITguy

Brave video to put out. The networking subreddit loves Fortinet and god help you if you post anything negative there. That being said being security conscious means acknowledging when a vendor does a really crap job. Fortinet does a really crap job. This is an objective fact.
Nevertheless great video

PowerUsr

I use Forti at work, but I don't use their VPN. For that I use pfsense and OpenVPN.

wielkiptok

I am an installer. I install more Fortigates (in retail and food service) than anything else. I guess they were the lowest bidder ¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯

Heizenberg

People are moving to 7.4 to mitigate this CVE, but 7.4 has been a nightmare for me. The admin portal crashes, various GUI bugs, and worst of all a memory leak that requires me to reboot a 400F every 3.5 days days. Performance wise it's been fine but the bugs are unacceptable

burtontech