December 7, 2022
In early October, cybersecurity company Fortinet Inc. made headlines after a severe vulnerability was exposed in several of its productions. The zero-day flaw allowed potential remote attackers to access on-premises management controls on  Fortinet’s core products FortiOS, FortiSwitchManager and FortiProxy, causing potentially catastrophic damages to affected users. Penetration tester company Horizon3.ai Inc. was one of the…

In early October, cybersecurity company Fortinet Inc. made headlines after a severe vulnerability was exposed in several of its productions.

The zero-day flaw allowed potential remote attackers to access on-premises management controls on  Fortinet’s core products FortiOS, FortiSwitchManager and FortiProxy, causing potentially catastrophic damages to affected users.

Penetration tester company Horizon3.ai Inc. was one of the key players in assisting potential victims, using its expertise to identify the source of the vulnerability by replicating it.

“We want to be to have a tool that can be used to exploit our customer system safely to prove that they’re vulnerable, so then they can go and fix it,” said James Horseman (pictured, right), exploit developer at Horizon3.ai. “The earlier that we have these tools to exploit, the quicker our customers can patch and verify that they are no longer vulnerable. So that’s the drive for us to go after these breaking exploits.”

Horseman and Zach Hanley (pictured, left), chief attack engineer at Horizon3.ai, spoke with theCUBE industry analyst John Furrier during an exclusive CUBE Conversation broadcasted on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how they discovered the vulnerability, how they helped those possibly affected, and how the vulnerability could have been used to launch attacks.

Identification through replication

Horizon3.ai first heard about the vulnerability on Twitter, immediately noticing it affected Fortinet’s key products. The team was able to replicate the exploit after running both the patched and unpatched versions of the product and highlighting the differences.

“Because we already had the exploit, what we did was we exploited our test Fortinet devices in our lab,” Hanley explained. “And we collected our own indicators of compromise and wrote those up. And then we released them … so that people would have a better indication to judge their environments if they’ve been already exploited in the wild by this issue.”

This specific vulnerability allows attackers to make any request they wanted in a remote system as if they were an administrator. The vulnerability was a natural consequence of a growingly complex system and not an intentional channel of attack, according to Hanley. Cyber terrorists still seek out these unintentional vulnerabilities to conduct their attacks, especially on vulnerabilities that infiltrate edge devices.

“These edge devices are super important, and they’re going to get a lot of eyes from attackers trying to figure out different ways to get into the system,” Hanley said. “And as you saw, this was in the wild exploited, and that’s how Fortinet became aware of it. So, obviously, there are some attackers out there doing this right now.”

Here’s the complete video interview, one of many CUBE Conversations from SiliconANGLE and theCUBE:

Photo: SiliconANGLE

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Source