Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks (bleepingcomputer.com)

Posted by msmash on Thursday December 14, 2017 @07:30AM from the beware dept.

An anonymous reader shares a report: It's been a bad week for two of the world's biggest vendors of enterprise hardware and software -- Fortinet and Palo Alto Networks. The worst of the bunch is a credentials leak affecting Fortinet's FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients. Researchers from SEC Consult said in an advisory released this week that they've discovered a security issue that allows attackers to extract credentials for this VPN client. The second major security issue disclosed this week affects firewall products manufactured by Palo Alto Networks and running PAN-OS, the company's in-house operating system. Security researcher Philip Pettersson discovered that by combining three vulnerabilities together, he could run code on a Palo Alto firewall from a remote location with root privileges.

20 of 32 comments (clear)

Min score:

Reason:

Sort:

Doesn't surprise me. by Anonymous Coward · 2017-12-14 08:03 · Score: 1

I worked for FortiNet,
Their code is crap and they know it.
They are trying hard to rewrite most of it, but it's years of effort.
1. Re:Doesn't surprise me. by TechyImmigrant · 2017-12-14 08:11 · Score: 3, Interesting
  
  I worked for FortiNet,
  Their code is crap and they know it.
  They are trying hard to rewrite most of it, but it's years of effort.
  Fortunately it doesn't take years of effort to stop using their products.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
2. Re:Doesn't surprise me. by ccguy · 2017-12-14 08:13 · Score: 1
  
  Fortunately it doesn't take years of effort to stop using their products.
  Of course it does. Some of their clients are definitely not fast making decisions, implementing changes and so on.
3. Re: Doesn't surprise me. by Brockmire · 2017-12-14 11:37 · Score: 1
  
  No, that's fucking dumb. You test the shit out of it, fix bugs, and provide free updates without requiring support contracts. You rewrite it when you can't maintain it. Rewriting it is only going to lead to feature mismatch and new bugs. Your logic is very questionable.
4. Re: Doesn't surprise me. by Brockmire · 2017-12-14 11:45 · Score: 1
  
  I was in an interview with Fortinet wireless dept over 2 years ago and something about security, NSA and Snowden came up. I forget the exact words, but one of the interviewers response was very sketchy where it sounded like he was inferring something hush hush. It was really strange and my takeaway was "sounds like backdoor".
5. Re:Doesn't surprise me. by haruchai · 2017-12-14 12:37 · Score: 1
  
  I worked for FortiNet,
  Their code is crap and they know it.
  They are trying hard to rewrite most of it, but it's years of effort.
  Worse than Cisco's? That's quite a feat
  
  --
  Pain is merely failure leaving the body
6. Re: Doesn't surprise me. by mvdwege · 2017-12-14 20:10 · Score: 1
  
  Yeah, that's how you end up with crappy JunOS instead of just fine Netscreen OS.
  
  --
  "I know I will be modded down for this": where's the option '-1, Asking for it'?
7. Re: Doesn't surprise me. by vwnlinux · 2017-12-15 01:40 · Score: 1
  
  Itâ(TM)s actually kind of amazing. For a basic firewall, ScreenOS is so rock-solid stable and âoejust worksâ.
  As nice as the Junos CLI is, itâ(TM)s a shame that Juniper killed ScreenOS.
8. Re: Doesn't surprise me. by Brockmire · 2017-12-15 04:26 · Score: 1
  
  Isn't there an iOS update to fix this shit? If there is, you're not being a good Apple.
9. Re: Doesn't surprise me. by vwnlinux · 2017-12-15 05:00 · Score: 1
  
  iOS 11.2.5 beta just dropped, so maybe, but I doubt it. Until it is, more hush and less drivel please.
  Itâ(TM)s.
Re: Poor NSA by Anonymous Coward · 2017-12-14 08:13 · Score: 1

I have a few good ones for Firepower... my favorite is a code injection in transparent mode that installs uCIP into the Ethernet driver and allows running a shell in the kernel. Works on Checkpoint too.
I donâ(TM)t have any for Juniper because I havenâ(TM)t bothered with BSD.
Re: Poor NSA by Anonymous Coward · 2017-12-14 08:37 · Score: 2, Funny

You're full of crap. Hackers don't use shitty iPhones that fail basic ANSI punctuation.
These are the companies that have the gall by guruevi · 2017-12-14 08:39 · Score: 1

to charge $80,000 for a ~12 port gigabit Linux-based iptables server and not even modern, some of the older models run Kernel 2.2 and the newer ones 2.4.

--
Custom electronics and digital signage for your business: www.evcircuits.com
1. Re:These are the companies that have the gall by sexconker · 2017-12-14 08:55 · Score: 1
  
  $80,000? We just dropped $17 million on a device and service contract (for 3 years?)...
2. Re:These are the companies that have the gall by Anonymous Coward · 2017-12-14 09:36 · Score: 1
  
  I think they probably like Wildfire and functional AppID that doesn't rely on crappy Cisco Firepower rules, and are probably fine with a three way handshake.
3. Re: These are the companies that have the gall by Anonymous Coward · 2017-12-14 09:52 · Score: 1
  
  Or the ones that know all about it but just dont have the time to be rolling their own solution (incl reporting, managing fingerprints for services, etc). Personally, Ive got way too many other things to be doing rather than keeping track of that stuff. Maybe if all I did was maintain a firewall, I could sustain the practice you seem to recommend.
4. Re: These are the companies that have the gall by guruevi · 2017-12-14 11:41 · Score: 1
  
  There are much better appliances out there that are both open, flexible and rather cheap. The fact you can get an extra tech for the yearly licensing per firewall is a reason not to choose them. The only reason you do is because they provide easy integration with certain black boxes you need if you have a carrier grade network.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
5. Re:These are the companies that have the gall by pacman+on+prozac · 2017-12-15 20:56 · Score: 1
  
  Modern firewalls are better thought of as a server with dozens of different application proxies and Linux/iptables sat underneath it. They can intercept most protocols and in Palo's case pull files out of the streams and run virus checks or sandbox tests on them, for example SMB connections. That complexity will increase the attack surface, but that can be managed by keeping on top of updates and using layered security so the firewall isn't the only control. The benefits are huge especially in complex organisations where you have a lot of legacy tech to protect.
  There are some great OSS ones like pfsense around if all you want to do is basic NAT and block/permit based on TCP port, but firewall tech has moved on a long way from there and that really is a completely different beast.
Re:After Dip by t0rkm3 · 2017-12-14 12:52 · Score: 1

Nope. Palo Alto however...
I wouldn't touch Fortinet with someone else's ten foot pole. I was just pondering their suckritude a fortnite ago when I found that WatchGuard is still a brand.
Some things just should not be.
[In case someone wonders, no I do not consider Barracuda a security company. They are an airport and AM radio media marketing firm that subconsciously programs you to want cocaine in your coffee, or Monster energy drinks... whichever is closer]
Re:Poor creimer by BronsCon · 2017-12-14 13:48 · Score: 1

To be fair, he's offering creimer a bit of entertainment and the opportunity (which he takes, of course) to be the bigger man and not shoot back. Kind of similar to how my pet trolls entertain me; but I prefer to feed mine, it keeps them around longer.

--
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.