Security researchers have urged users to patch vulnerable VPNs as soon as possible since the vulnerability is understood to be easily exploitable.
The only workaround recommended by Fortinet is to disable the SSL VPN. Disabling webmode won't mitigate the vulnerability, it said.
Other vulnerabilities were also disclosed alongside it, such as CVE-2024-23113 - a critical RCE bug in FortiOS fgfmd daemon, but these haven't been exploited in the wild.
The story immediately attracted our attention since it's not too often we hear about two maximum severity bugs being disclosed on the same day, impacting a major security product like FortiSIEM. However, that's what happened on Tuesday with both CVE-2024-23108 and CVE-2024-23109 appearing in the National Vulnerability Database.
The confusing part was that both vulnerabilities were submitted by Fortinet, but both linked back to a separate, earlier October advisory, revealing no details about these seemingly huge new flaws.
Hungry vultures we are, we swooped down and picked that story up immediately, shooting Fortinet a request for clarity on the matter and why it hadn't published details on them.
It took Fortinet more than 73 hours to issue us with an official response.
Since we're providing an overview of the vendor's week, what actually happened here was that it absolutely bungled the disclosure of these vulnerabilities.
Firstly, Fortinet backtracked and said these weren't vulnerabilities at all, instead explaining that they were issued in error and were duplicates of the single vulnerability mentioned in the aforementioned October advisory - CVE-2023-34992.
Within hours of this, the company backtracked again saying that yes, actually, these are two new vulnerabilities - two bypasses for October's CVE-2023-34992.
This came after the researcher credited with the discoveries published the email from Fortinet confirming the findings were indeed actual vulnerabilities.
Fortinet retained its 10/10 severity ratings, while the NVD downgraded both to 9.8.
Fortinet PSIRT policy diligently balances our commitment to the security of our customers and our culture of researcher collaboration and transparency.
Due to exceptional circumstances that include the premature dissemination of mitigation guidance and in an effort to help protect our customers, Fortinet distributed its monthly advisory on February 8 ahead of its anticipated February 13 publication date to provide important details to customers considering these circumstances.
For more on Fortinet's responsible disclosure process, visit the Fortinet Product Security Incident Response Team.
After many strongly worded suspicions that the claim was false, and a litany of memes pasted over tech social media, Fortinet responded by saying the claim was simply just lost in translation.
Stefan Zuger, the Fortinet engineer who gave the interview, reportedly provided specific details of the DDoS incident, including for how long the attack had been ongoing and the potential damage to the unnamed website it affected, the reporter claimed.
The Swiss reporter also said the article was proofread by Fortinet before publication and nothing in the report was corrected by the vendor.
The weekend will doubtless be a welcome reprieve, especially for members of Fortinet's publicity team who will have been working tirelessly to undo all the company-wide errors from the past week.
To their credit, they will also be dealing with the response to the reports that were also published this week about Chinese cyberspies exploiting FortiGate vulnerabilities using custom malware.
This Cyber News was published on go.theregister.com. Publication date: Fri, 09 Feb 2024 15:13:03 +0000