In early October, cybersecurity company Fortinet Inc. made headlines after a serious vulnerability was exposed in several of its productions.
The zero-day flaw allowed potential remote attackers to access the on-premises management controls of Fortinet’s flagship products, FortiOS, FortiSwitchManager and FortiProxy, causing potentially catastrophic damage to affected users.
Penetration tester company Horizon3.ai Inc. was one of the key players in assisting potential victims, using its expertise to identify the source of the vulnerability by reproducing it.
“We want to have a tool that can be used to safely exploit our client system to prove it’s vulnerable, so they can then fix it,” said developer James Horseman (pictured, right) exploits at Horizon3. .have. “The sooner we have these tools to leverage, the sooner our customers can patch and verify that they are no longer vulnerable. So that’s why we’re continuing with these groundbreaking feats.
Horseman and Zach Hanley (pictured, left), chief attack engineer at Horizon3.ai, spoke with theCUBE industry analyst John Furrier in an exclusive CUBE chat broadcast on theCUBE, the broadcast studio live from SiliconANGLE Media. They explained how they discovered the vulnerability, how they helped those potentially affected, and how the vulnerability could have been used to launch attacks.
Identification by replication
Horizon3.ai first heard about the vulnerability on Twitter, immediately noticing that it affected key Fortinet products. The team was able to reproduce the exploit after running patched and unpatched versions of the product and highlighting the differences.
“Because we already had the exploit, what we did was exploit our test Fortinet devices in our lab,” Hanley explained. “And we collected our own indicators of compromise and wrote them down. And then we released them…so people would have a better indication to judge from their surroundings if they’ve ever been exploited in the wild by this problem.
This specific vulnerability allows attackers to make any request they want to a remote system as if they were an administrator. The vulnerability was a natural consequence of an increasingly complex system and not an intentional attack channel, according to Hanley. Cyberterrorists always look for these unintended vulnerabilities to carry out their attacks, especially on vulnerabilities that infiltrate edge devices.
“These peripheral devices are extremely important and they will attract the attention of attackers trying to find different ways to enter the system,” Hanley said. “And as you saw, it was in the wild exploited, and that’s how Fortinet found out about it. So obviously there are attackers doing that right now.
Here’s the full video interview, one of many CUBE conversations from SiliconANGLE and theCUBE: