back to article You've patched right? '340K+ Fortinet firewalls' wide open to critical security bug

More than 338,000 FortiGate firewalls are still unpatched and vulnerable to CVE-2023-27997, a critical bug Fortinet fixed last month that's being exploited in the wild. This is according to infosec outfit Bishop Fox, which has developed an example exploit for achieving remote code execution via the hole. Successful …

  1. Khaptain Silver badge

    What quite surprising is that Fortinet are not cheap systems so why bother making the effort to buy expensive gear only to ignore the updates, especially this kind of update.

    But I can also imagine that some of the kit is just outdated models that are being used as home firewalls without the yearly subscriptions.

    1. Bebu Silver badge

      Not Surprised

      I also wonder whether many organisation just don't have the people and/or processes to keep their perimeter devices patched and correctly configured.

      I can imagine that in recent times, corporations have created IT/SEC departments, employed companies of security thespians who warm seats before the consoles from the usual security software suspects.

      I would guess most real firewall couldn't run xagt so no assistance from that bit of buggery.

      So not really surprised.

      1. Captain Scarlet Silver badge

        Re: Not Surprised

        I also wonder if some of these are shadow IT projects, someone puts in a gateway to make it easier to get in.

        I have certainly come across enough 3G/4G gateways on industrial equipment that was somehow missed off all documents which said "No IT envolvement"

        1. Binraider Silver badge

          Re: Not Surprised

          I found one example recently where a industrial computer supplier was boldly claiming no 802.11 Wi-Fi. It had it's own proprietary wireless protocol built in instead as part of the sales pitch.

          Legalities aside "NOPE" was the only response to procurements question of should we consider these things. And before one complains about procurement, they did have the wisdom to at least ask the question.

    2. Paul Crawford Silver badge

      I was wondering the same, but the "home firewall" group seems odd to me. Yes, you might pick up the kit cheaply but the power draw (and hence running costs) will mount up and I hardly see any home needing huge-scale throughput. After all openWRT or pFsense can be deployed on adequate and low-power hardware for probably less then eBay prices for those firewalls.

    3. Doogie Howser MD

      You might not think of Fortinet as being "cheap" per se, but at the enterprise level they always win on price (I know this from experience). Problem is, you get what you pay for and the amount of fairly nasty CVEs seems to disproportionately affect Fortinet more than the others in this space and we always seem to be scrambling to play catch up. Buy cheap, buy twice.

  2. Potemkine! Silver badge

    For the ones using branch 6.4, firmware 6.4.14 is available.

  3. t245t

    FortiOS hack writes to firmware image

    ‘The security defect, Fortinet says in a blog post, was identified after “a sudden system halt and subsequent boot failure – a design to protect against compromise – of multiple FortiGate devices of a customer”.’

    “The shutdown was triggered by a failed integrity self-test after the system detected modifications of the firmware image that were meant to provide attackers with persistent access and control.”

  4. StrangerHereMyself Silver badge


    I suppose you can criticize companies that don't update the software on such a security-critical device, but OTOH I find it ironic that a firewall whose only function is to keep out miscreants fails miserably at this and even creates avenues for network intrusion.

    It's not just about patching. Companies that make this kind of equipment must make sure their wares are 100% secure in the first place. I sense that too many companies just throw something onto the market thinking they can always patch the software if there's a problem.

    These kinds of devices need to be vetted by an independent organization (Underwriter Laboratories?) to be allowed on the market.

    1. fg_swe Bronze badge

      Perfect Security

      "must make sure their wares are 100% secure"

      That is an impossible-to-achieve statement, especially given the complex "standards" to be implemented.

      I suggest the public should demand reasonable measure such as input fuzzing, memory safe languages, proper documentation, proper testcases.

      We already have this in auto, aerospace, medical, and railways. It is a totally different process than what most developers are accustomed to. Also totally different from a price-point POV. Would you be prepared to pay 3x more than you do now ?

      1. StrangerHereMyself Silver badge

        Re: Perfect Security

        A firewall is a pretty simple device. My ADSL router has a built-in firewall and it never fails and certainly doesn't create avenues for intrusion.

        Why then, is this expensive purposely built firewall a security hazard? Because they put too much cruft in it? I don't believe that to be an excuse. Purpose built security devices should be GUARANTEED to be safe, otherwise they're merely a nuisance.

        Like I hinted at: there should be an independent organization testing these devices before they're allowed onto the market.

  5. fg_swe Bronze badge

    All The Fun of C and C++

    A memory safe language would have neutered this exploit.

    1. Paul Crawford Silver badge

      Re: All The Fun of C and C++

      And who, pray tell us, is rewriting it all in a new language?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like