 Tom here from Orange Systems and I've talked about Fortinet before and I think it's worth talking about them again. They're clearly one of the most popular firewalls out there. It's weird how many people ask me questions or want me to review them but I don't really use them that often. We do have clients with them. I'm familiar with the platform and many of those clients do have support contracts so we're always making sure that they keep them up-to-date but up-to-date doesn't necessarily mean secure and this is kind of what I wanna talk about. My goal here is to raise a little bit of awareness but I don't want you just to hear this from me or say, Tom, you're just biased because you like other firewalls better than Fortinet. It's really specifically to talk about the security researchers, all the research and the CVEs and you're going, well, lots of people have CVEs, Tom. It's not the number of CVEs. It's what those CVEs are and that's exactly what I wanna talk about. So we're gonna start going back with a little bit of history of some of the problems with Fortinet and bring you all the way up here to June of 2023 with some of the most recent problems with Fortinet and it's really looking like they just don't do a good job of security testing and vetting their products. So let's dive into this. And we're gonna start here with something that turned into a talk at a Black Hat Conference all the way in May of 2019 and I encourage you to watch that. These are all gonna be linked over in my forum post so you can dive deeper into the history of this but this really shows not just the CVE but the coding that went into creating this which is just dumb. You can only read it in Fortinet's own words here so the security researcher has a much more in depth right up but let's just read exactly what Fortinet wrote so from their own right up here it was also disclosed and fixed in May of 2019 that FortiOS included a magic string value that had previously created a request of a customer to enable users to implement a password change process when said password was expiring that function had inadvertently been bundled into the general FortiOS release. This is greatly concerning and we're gonna come back to this in terms of the latest right up because when you have something like this this is to me what should be a full stop at Fortinet of hey, let's really dive in and examine our coding processes and is there any other magic backdoors that security researchers might find? Hopefully there's some good code sanitation maybe even a whole rewrite of this subsystem but nonetheless that doesn't appear to be what's happening here. Because of our ability we're talking about today is CVE 202327997 found by security researchers and this goes through the instant analysis we're gonna jump over to the security research in a moment here. This is the part that kind of gave me a chuckle of Volt Typhoon campaign. If you're not familiar this is a campaign that there's a pretty large write up which I'll link to down below as well that talks about the threat actors targeting infrastructure through exploiting once again Fortinet SSL VPNs because you're very popular with many government entities and critical infrastructure and this new bug has nothing to do with the Volt Typhoon bug so they're making sure that people know that oh no this is a completely different SSL VPN vulnerability than the latest one that happened here in June. Once again we're establishing kind of a history of Fortinet just not doing a good job of being proactive but more reactive to pressures in the market. Which brings us to the published research here the Exordigate pre-authentication around code execution for that particular CVE this was published on Tuesday June of 2023. Now they walk you through everything here and of course I encourage people to read all of this this is really good security research going through the steps on here and of course it's called Exordigate because they didn't do things in a most secure way using XOR but let's scroll down to the bottom because one of the things I really wanna comment one there's gonna be a few notes for red teamers that will probably be updated at a later date hopefully when you're watching this that later date has passed and enough of these systems have patched that more details will be available but I really wanna highlight something these security researchers said and it kinda brought me to making this video was just a reminder here and this is what they said after being reported in April their response was prompt and cordial so yes Fortinet did actively engage with them and did fix the problem but we remain however doubtful that they ever ran a property security assessment on the appliance considering number of quality vulnerabilities that were found from 2019 today and by the way that magic backdoor one was also referenced in there because some of that research was what had them poking further at that specific aspect of the Fortinet and that's generally how this research goes when they know there's a specific spot that there's a problem as someone finds the first problem with it there frequently is other researchers go oh that technique probably means even if they patch it there's another way I can poke at it and you'll see more and more because it's like once that little wedge has been found into the system there'll be more and more security researchers that will keep poking at that element and this should be a cue for vendors to go just rewrite this section we have some flaws in it we patched and mitigated but obviously more flaws have been found we patched and mitigated more flaws are found at some point companies and Fortinet's a big enough company and I think it afford the engineering level it would take to do this should be just rewriting this whole system and fixing it because I know there's a lot of Fortinet fans who are going to be thumbs downing this video leaving their comments saying Tom you're just biased but I let the history speak for itself the security researchers and read all of these different write ups and go yeah that does seem to be a coincidence here that they keep finding flaws in the same areas of these Fortinet and Fortinet has this weird thing and even has a history of putting some hard coded credentials in besides the magic back door there's that whole link I have for all of the other different CVEs that have occurred before and that's still not all of them and I'm willing to bet that sometime in the future maybe the future where you're watching this where you're finding this video and going wait it's 2024 and I'm still talking about the latest CVE and a Fortinet SSL VPN Tom you're right they didn't take the time to fix it or I hope for a better future where the Fortinet goes hey I have enough market pressure from all the people that use my products which do include many of my clients we have lots of co-managed IT clients that use these and I would like to see them not having problems so why rip out the thing you know why not stay with Fortinet because many of my internal IT teams you work with know it really well they're happy with the product they're unhappy every time they see it in the news but I'd like them not to see it in the news and hopefully this pressures Fortinet and other security researchers saying things like we don't really think you do a good job we'll kind of force the company to do a good job so to me that's the outcome I'm not here just to trash a product I'm here to hopefully raise awareness which will then have you Fortinet users raising awareness to Fortinet go ahead can you fix this because we hate when people on YouTube kind of dump on products and we hate when security researchers run around finding more and more problems with your system or even worse when threat actors exploit those systems and then cause chaos inside of all of our networks nonetheless love hearing from you leave your comments and thoughts down below like and subscribe to see more content on this I'm hoping to not do another Fortinet VPN video anytime soon that's actually my goal here I don't want them to be broken I want it to be fixed and we can move on to other more interesting things nonetheless head over to the comments section to leave a comment your thoughts on this however my forums if you want to engage with me on a more in-depth discussion on this or other topics on this channel and thanks you