Ground Hog Day: Fortinet VPN Edition

So its a few days after ground hog day. Side note: I once explained this tradition to a UK colleague and he thought I was putting him on. Chris C, this one is for you!

Ground hog day is famously about prognisticating rodents predicting the weather. But, its also a famous movie with Bill Murray where the time resets each morning and he relives the same day again and again.

Today we got the cheerful news that CVE-2024-21762 from Fortinet (as FG-IR-24-015) your VPN is once again letting it all flap in the breeze with a CVSS score: 9.6. Yes, you and your 9B best friends can now execute arbitrary commands (and new binaries!) on your key security appliance.

The Rust fans are all spinning this as yet another I told you so regarding out-of-bounds writing issue, in this case for inbound HTTP requests with some hanky-panky inside. I won’t link it, but there is an exploit available, meaning anyone with a device made in the last 20 years and the ability to type the or speak something to Google can find it. So obscurity security will not play here. National security agencies have already warned of this being actively exploited.

Above I used the metaphor Ground Hog day, because we just went through this with e.g. Ivanti. There I used the metaphor of Ole Yeller and shooting an old friend. Yes, Metaphors are my New Years resolution, Simile’s are so 2023.

So, what to do? Patch early, patch often? Maybe its time to invest in some Defence In Depth. Your VPN needs a firewall on each side, ideally by different vendors. Or, you need them in series, 2 VPN. Another approach, which I recommend, is adopting a Zero Trust strategy, so its not all or nothing, its one piece at a time (queue Johnny Cash).