Update Regarding CVE-2018-13379

The security of our customers is our first priority.  As part of our standard PSIRT process, upon an indication of an alleged vulnerability shared through responsible disclosure, Fortinet works hard to remediate those potential vulnerabilities and then communicates mitigation guidance. And, as a PSIRT team and forward-looking security vendor, we are constantly seeking ways to engage, educate, and encourage our customers to institute mitigation best practices and to patch their systems.

For example, in May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade and have since also issued a Customer Support Bulletin (CSB-200716-1) to highlight the need to upgrade.

The potential dangers of unmitigated, 18 month old vulnerabilities, have been repeatedly highlighted by the United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE), which have published research into the activity of ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’ who have been targeting various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, with the high likelihood of intention of stealing information and intellectual property (IP) relating to the development and testing of COVID-19 vaccines.

Furthermore, in the last 60 days, we became aware that threat actors were scanning the internet for unpatched devices and Fortinet sent out another, even more tailored email notification directly to the 50K+ customers that were identified running impacted firmware in a further attempt to to highlight the issue and guide customers through mitigation steps.

Since the original PSIRT Advisory, we have put several processes and best practices in place to prevent reoccurrence. However, after over 18 months, over 7 different Fortinet notifications, and news outlets and government organizations also calling out the prospects of risk, there are still a large number of devices that remain unpatched and it has been reported that their IP addresses are being sold.

As a result of introspection based on our efforts in constantly seeking ways to engage, educate, and encourage our customers to patch their systems, the following represent some of the continued customer protection and communication efforts we are pushing out to help support and encourage our customers to adopt a more proactive risk management and mitigation process when it comes to potential vulnerabilities they may face:

Fortinet Monthly Vulnerability Notification: Starting December 1, Fortinet will publish a Monthly Vulnerability Advisory on the first Tuesday of each month, providing customers a consistent cadence with specific dates to focus on infrastructure patching.  Potential critical severity or in-the-wild vulnerabilities will be communicated as necessary via an out of cycle advisory.

Security Rating:  From FortiOS 6.6 forward, to rule out any chance of a customer missing a notification, all medium and above vulnerabilities will be incorporated into the Security Rating Service, so that if there is any device in the security fabric with a vulnerability, that will cause a reduction in the Security Rating as an additional way to flag security teams of potential risk.  Remediating the potential issue would then result in an increase in the Security Rating score.

Vulnerability Notification in the GUI:  In addition to monthly cadence of communications from the PSIRT team and incorporating those factors into the security rating, a high or critical severity issue requiring an upgrade will also be flagged in the potentially affected device GUI with a link to the FortiGuard advisory.

Vulnerability Notification in the Support Portal: When a Fortinet device checks in with FortiGuard to pull down its latest security updates, it communicates the running firmware for support purposes. This will be used to report on the security level of all Fortinet devices in a users FortiCare support account.

Stability Releases and Long-Term Support: To even further aid critical infrastructure providers in their choice of firmware and to simplify the process of upgrading, Fortinet will label stability releases and provide long term support for selected firmware with the intention of removing some of the perceived challenges delaying customers from performing upgrades.

At Fortinet we are on a journey with our customers to best protect and secure their organizations and welcome feedback from our customers to this ongoing process. Please contact PSIRT@fortinet.com if you have any other suggestions or feedback.

For details of the Fortinet PSIRT Policy and to report a vulnerability: https://www.fortiguard.com/psirt_policy.