Secure Your Fortinet Appliances Across On-Prem, Cloud, and Hybrid Networks at Scale

by | Oct 18, 2022 | Blogs

If there’s one thing we love seeing, it’s people using NodeZero to assess their hybrid cloud at scale, especially when verifying a fix.

While unannounced zero-day vulnerabilities garner a fair bit of fear and attention, one of the greatest risks introduced to business operations are newly announced vulnerabilities, or N-days. When an easily exploitable vulnerability surfaces for a ubiquitous product, we’re all in a race condition to:

  1. Find any assets (especially public-facing) that are vulnerable
  2. Fix (remediate or mitigate) as quickly and safely as possible
  3. Verify the implemented fix action is actually working when attacked

For example, over the last week cybersecurity practitioners have been scrambling to remediate their Fortinet appliances to the latest CVE-2022-40684. In case you missed it, here’s a rundown to catch you up:

A quick online search reveals several articles outlining the vulnerability and its ongoing mass exploitation. When an easily exploitable vulnerability surfaces for such a ubiquitous product, we’re all in a race condition to fix while attackers are trying to exploit.

In the image below, you will see part of an administrator’s NodeZero operations summary screen, where several of our customers and new free-trial users are quickly verifying their security posture.

Some wanted to focus on specific known hosts running the vulnerable OS, while others wanted to find, fix, and verify “at-scale” across their entire enterprise product network.  This is how our users find that appliance that wasn’t supposed to be public-facing anymore, where that host set up by marketing that was supposed to have been decommissioned years ago, or where those third-party authentications your developers utilized while your product was in stage didn’t promote to prod. This is how we all verify that our weekend fix-actions are effective.

For instance, here’s how one client used NodeZero:

They used NodeZero to find and verify their Fortinet appliance was vulnerable, reachable, and exploitable from their chosen perspective, or launch point.  They didn’t need to install an agent, create a script, and load a credential. They just used our simple Course of Action card, specified a scope, and launched a pentest.

Their first test came back confirming their appliance was exploitable.

This is the attack path NodeZero took enroute to compromising this host and critical infrastructure.

You can see NodeZero autonomously discovered the host, checked that the web service on Port 80 was up and running, found that the Fortigate SSL VPN application was running, then ran our exploit, taking advantage of the appliance OS browser header and looking for a specific server IP address as authoritative, told it to reach out to our interact server, and once compromising the host NodeZero provides proof by showing the contents of the administrator user settings.

Now that they know it’s exploitable, what did they do?  17 minutes later they ran a second attack just to verify it really was. After confirming, the next pentest we see is the following morning:

And now you can see the comparison, where the hosts are still reachable but no longer vulnerable nor exploitable.

This is how we win.

Bottom Line: we’re simplifying the ability for anyone to verify if their appliances are reachable, vulnerable, and exploitable. Can your other tools do that at speed and scale?

This article was authored by Monti Knode, Director of Customer and Partner Success at Horizon3.ai. 

How can NodeZero help you?

Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company.