Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks

An anonymous reader shares a report: It's been a bad week for two of the world's biggest vendors of enterprise hardware and software -- Fortinet and Palo Alto Networks. The worst of the bunch is a credentials leak affecting Fortinet's FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients. Researchers from SEC Consult said in an advisory released this week that they've discovered a security issue that allows attackers to extract credentials for this VPN client. The second major security issue disclosed this week affects firewall products manufactured by Palo Alto Networks and running PAN-OS, the company's in-house operating system. Security researcher Philip Pettersson discovered that by combining three vulnerabilities together, he could run code on a Palo Alto firewall from a remote location with root privileges.

Poor NSA

That's another couple zero days discovered!

Better get on the phone to the boys at Cisco, get 'em to add some new ones.

Re: Poor NSA

I have a few good ones for Firepower... my favorite is a code injection in transparent mode that installs uCIP into the Ethernet driver and allows running a shell in the kernel. Works on Checkpoint too.

I donâ(TM)t have any for Juniper because I havenâ(TM)t bothered with BSD.

Re: Poor NSA

You're full of crap. Hackers don't use shitty iPhones that fail basic ANSI punctuation.

After Dip

Great time to buy Fortinet stock.

Re:After Dip

[t0rkm3]

Nope. Palo Alto however...

I wouldn't touch Fortinet with someone else's ten foot pole. I was just pondering their suckritude a fortnite ago when I found that WatchGuard is still a brand.

Some things just should not be.

[In case someone wonders, no I do not consider Barracuda a security company. They are an airport and AM radio media marketing firm that subconsciously programs you to want cocaine in your coffee, or Monster energy drinks... whichever is closer]

Doesn't surprise me.

I worked for FortiNet,
Their code is crap and they know it.

They are trying hard to rewrite most of it, but it's years of effort.

Re:Doesn't surprise me.

[TechyImmigrant]

I worked for FortiNet,
Their code is crap and they know it.

They are trying hard to rewrite most of it, but it's years of effort.

Fortunately it doesn't take years of effort to stop using their products.

Re:Doesn't surprise me.

[ccguy]

Fortunately it doesn't take years of effort to stop using their products.

Of course it does. Some of their clients are definitely not fast making decisions, implementing changes and so on.

Re: Doesn't surprise me.

No firewall, VPN or IPS will ever be secure after a few years. Thatâ(TM)s why itâ(TM)s so important to rewrite or buy a competitor and dump your own code.

Re: Doesn't surprise me.

Sorry, we can't tell what you're trying to say.

"
'

Re: Doesn't surprise me.

[Brockmire]

No, that's fucking dumb. You test the shit out of it, fix bugs, and provide free updates without requiring support contracts. You rewrite it when you can't maintain it. Rewriting it is only going to lead to feature mismatch and new bugs. Your logic is very questionable.

Re: Doesn't surprise me.

[Brockmire]

I was in an interview with Fortinet wireless dept over 2 years ago and something about security, NSA and Snowden came up. I forget the exact words, but one of the interviewers response was very sketchy where it sounded like he was inferring something hush hush. It was really strange and my takeaway was "sounds like backdoor".

Re:Doesn't surprise me.

[haruchai]

I worked for FortiNet,
Their code is crap and they know it.

They are trying hard to rewrite most of it, but it's years of effort.

Worse than Cisco's? That's quite a feat

Re: Doesn't surprise me.

I like how they seem to have dropped their relatively lightweight Forticlient SSLVPN and turned it into a full-on security suite that looks awful and more importantly that I have no interest in running. Had to install it on a Mac recent and quickly removed the piece of crap after it started blocking web pages all by its self.

Mind you the SSLVPN client seems to randomly break on Windows 10 too and just crashes on my Android phone ðY

Re: Doesn't surprise me.

[mvdwege]

Yeah, that's how you end up with crappy JunOS instead of just fine Netscreen OS.

Re: Doesn't surprise me.

[vwnlinux]

Itâ(TM)s actually kind of amazing. For a basic firewall, ScreenOS is so rock-solid stable and âoejust worksâ.
As nice as the Junos CLI is, itâ(TM)s a shame that Juniper killed ScreenOS.

Re: Doesn't surprise me.

[Brockmire]

Isn't there an iOS update to fix this shit? If there is, you're not being a good Apple.

Re: Doesn't surprise me.

[vwnlinux]

iOS 11.2.5 beta just dropped, so maybe, but I doubt it. Until it is, more hush and less drivel please.

Itâ(TM)s.

Poor creimer

He's going to have to work overtime to get the food and drinks for the people actually fixing this problem!

Re:Poor creimer

You really are a pathetic excuse for a human being. Just let this sink in a minute... You waste time stalking him, your fingers must not even be qualified to stroke your own balls, because you'd be doing that instead. What your are trying to do is pointless, and every keystroke would be better spent fingering your own asshole.
I'm really saddened to see someone such as yourself, with absolutely nothing to offer.

Re:Poor creimer

[BronsCon]

To be fair, he's offering creimer a bit of entertainment and the opportunity (which he takes, of course) to be the bigger man and not shoot back. Kind of similar to how my pet trolls entertain me; but I prefer to feed mine, it keeps them around longer.

Re: Poor creimer

Lul. You wish you had the amount of trolls Creimer does. You are a nobody, nobody trolls you, nobody gives a fuck about what you say. Creimer has redefined the word troll. He is the king. Bow down before him and ask for forgiveness for your blasphemy. You wanna be.

You're so vain, I bet you think this post is about you, about you!!!!!!!

Lul get a grip. Your ego needs to be checked at the door. BrosCon, Lul. What a poser.

These are the companies that have the gall

[guruevi]

to charge $80,000 for a ~12 port gigabit Linux-based iptables server and not even modern, some of the older models run Kernel 2.2 and the newer ones 2.4.

Re:These are the companies that have the gall

[sexconker]

$80,000? We just dropped $17 million on a device and service contract (for 3 years?)...

Re:These are the companies that have the gall

I think they probably like Wildfire and functional AppID that doesn't rely on crappy Cisco Firepower rules, and are probably fine with a three way handshake.

Re: These are the companies that have the gall

Or the ones that know all about it but just dont have the time to be rolling their own solution (incl reporting, managing fingerprints for services, etc). Personally, Ive got way too many other things to be doing rather than keeping track of that stuff. Maybe if all I did was maintain a firewall, I could sustain the practice you seem to recommend.

Re:These are the companies that have the gall

They've been rolling out a 3.10 Kernel this year.

Re: These are the companies that have the gall

[guruevi]

There are much better appliances out there that are both open, flexible and rather cheap. The fact you can get an extra tech for the yearly licensing per firewall is a reason not to choose them. The only reason you do is because they provide easy integration with certain black boxes you need if you have a carrier grade network.

Re: These are the companies that have the gall

What are these better appliances? Asking for a friend.

Re:These are the companies that have the gall

[pacman+on+prozac]

Modern firewalls are better thought of as a server with dozens of different application proxies and Linux/iptables sat underneath it. They can intercept most protocols and in Palo's case pull files out of the streams and run virus checks or sandbox tests on them, for example SMB connections. That complexity will increase the attack surface, but that can be managed by keeping on top of updates and using layered security so the firewall isn't the only control. The benefits are huge especially in complex organisations where you have a lot of legacy tech to protect.

There are some great OSS ones like pfsense around if all you want to do is basic NAT and block/permit based on TCP port, but firewall tech has moved on a long way from there and that really is a completely different beast.

This firewall has no such issues...apk

See subject & NEW APK Hosts File Engine 10++ 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script/malware rob speed/security/privacy/bandwidth.

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirect (99++% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster via local RAM!

* Via what u NATIVELY have in a FASTER kernelmode IP stack (does more w/ less).

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ (self checking vs. infection of it built-in)