Another Vulnerability, Another Scramble for Patching - This Time Fortinet

Fortinet is disclosing another critical vulnerability in its SSL-VPN service (CVE-2024-21762). A typical part of next-gen firewall (NGFW) functionality, the problem with SSL-VPN services is that they are by definition exposed as listeners on the public internet. This makes them sitting ducks for threat actors targeting zero-days.

As usual in such cases, the vulnerability enables unauthenticated attackers to remotely execute code through maliciously crafted requests. This allows them quick exploitation without user interaction, typically followed by device takeover and lateral movement, finally leading to ransomware and other compromises.

Although the vulnerability is not yet used by ransomware operators and no public proof-of-concept exploitation code is known, this appears to be just a matter of time: Fortinet is warning the bug is already potentially being exploited in the wild, and U.S. CISA has included it into its Known Exploited Vulnerabilities Catalog.

A preferred way to gain a foothold

Vulnerabilities in public facing devices are becoming a critical part of threat actor's attack chain. So no wonder these are being exploited more then ever before, with virtually no time between disclosure and exploitation in the wild. The recent 12 months or so saw a flurry of such vulnerabilities, from Fortinet, Ivanti, over Citrix and Juniper to Cisco VPN.

In its recent report, the U.S. CISA is warning against Chine sponsored threat actors (Volt Typhoon) now having persistent access to many critical infrastructure organizations. Their preferred technique to enter organizations? Vulnerabilities in public facing devices, of course, SSL-VPN being the main target.

Worryingly, Fortinet is also confirming this in its recent advisory, highlighting Volt Typhoon's preference for Fortigate devices. Fortinet goes on to say: "Our own research, conducted in collaboration with our customers, has identified that the Volt Typhoon campaign uses a variety of tactics, techniques, and procedures (TTPs) to gain access to networks, including a widely used technique known as “living off the land” to evade detection. The campaign appears to use vulnerabilities for which patches exist [!]".

Is rushing for patching a viable strategy for the future?

Of course, Fortinet's advice is expected in this most recent case: immediately patch or disable the SSL VPN feature within the firewall.

Yet there seems to be a disconnect: many customer devices are sitting exposed on the internet even months after patches are released.

See this example of Fortinet devices in the Adriatic region, following last June's critical vulnerability (also affecting SSL-VPN): even after a month, over 50% of publicly exposed devices were still unpatched!

One wonders how much time will elapse this time, before the latest vulnerability is patched on most devices?

The threat actor's focus on SSL-VPN is understandable: all organization nowadays need to enable remote access for users to consume applications within its infrastructure. Yet exposing a device on the public internet on a do-it-yourself basis now looks more and more risky.

Vendors are now aware of this, so that's why they are now offering a modernized VPN access topology called Secure Access Service Edge (SASE), which is effectively delegating remote access to vendor managed infrastructure, consumed as SaaS.

This managed infrastructure is monitored centrally and kept up-to-date by the vendor (this means the incentive to patch in now clearly on the vendor).

If you want to mitigate the current risks inherent in public facing devices, especially remote access infrastructure, SASE is definitely the model for the future.