Fortinet: CVE 2024-21754: Passwords on a Silver Platter

13/06/2024
G DATA Blog

Matthias Barkhausen and Hendrik Eckardt have discovered a flaw in the firmware of Fortinet firewalls. This flaw potentially reveals sensitive information to attackers, such as passwords.

A deep pothole is an issue. It can damage vehicles and cause injury to pedestrians. One should think „that is an easy fix – just add some concrete and Bob is your uncle.” But if you are lazy, you just put up a sign that says „Falling into this hole is prohibited – drive or walk around it”

Patching a software flaw through a policy change advisory - it Is worth a shot and you can try it - but do not be surprised if it does not work and comes back to haunt you years later.  Fortinet has done pretty much that, in a security “patch” from November 2019 (for the keen-eyed among you: That was more than four years ago).  Back then, a securiy researcher had discovered that the firmware of a firewall appliance had a hard coded crypto key built in, which users were advised to change. The crypto key was “Mary had a littl”.   

The „Fix“ issued by the vendor: „Please use a different key!“.  
Rhethorical question: Did everybody follow this advisory? 

Old flaw, new tricks

Flash forward almost four years. During the course of an investigation, an incident response team from G DATA Advanced Analytics was looking for an initial entry point that criminals had used to compromise a network. In this case it turned out to be a compromised guest account. When some direct questions did not yield the desired answers, Matthias Barkhausen and Hendrik Eckardt started digging – und found themselves inside a rabbit hole made of security measures of archaeological relevance, shoddy password hygiene and security practices that are far from being state of the art. And they came across a new security flaw. 

Credentials on a silver platter

In a worst case scenario, unauthorized users with access to a configuration backup of a Fortinet firewall could decrypt the file and read user credentials. Those backup files are commonly sent back and forth via email, for review and control purposes. Given that many cybercrime actors also employ infostealer malware, this is a practice that companies – most notably, service providers – should rethink sooner rather than later.  

The flaw has been responsibly disclosed to the vendor. It has been addressed in FortiOS v7.4.4, dated June 11, 2024
Learn more details and read the full story on the blog of G DATA Advanced Analytics

Timeline

The timeline is a little bit long in this case - we started a responsible disclosure process in October 2023. On January 2, 2024 CVE 2024-21754 was assigned. The fix was released in June 10, with the advisory published in June 11 (link will open in a new window). While 90 days is the usual, industry accepted amount of time that a vendor has in order to fix the issue before anything is made public, 243 days seems a little bit excessive in this case - even for a something that is by no means a "catastrophic level" flaw.