subtoot about Fortinet zero-day. Those infosec publications are running WILD calling ...

Why Nostr? What is Njump? Join Nostr

npub14g…xznd6

2025-02-11 23:27:35 UTC

in reply to nevent1q…rffa

subtoot about Fortinet zero-day. Those infosec publications are running WILD calling it an exploited zero-day (complete with a backstory) with absolutely no evidence. Are we reading the same security advisory? What the fuck are you guys conjuring up and extrapolating from 2025-02-11: Added CVE-2025-24472 and its acknowledgement?

EDIT: You've heard of "patch-diffing." Get ready for *advisory-diffing*:
https://web.archive.org/web/20250114161659/https://fortiguard.fortinet.com/psirt/FG-IR-24-535 (14 January 2025)
versus https://fortiguard.fortinet.com/psirt/FG-IR-24-535 (11 February 2025):<li>An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module <code>or via crafted CSF proxy requests.</code></li><li>Follow the recommended upgrade path using our tool at: <del><a href="https://docs.fortinet.com/upgrade-tool"; target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">docs.fortinet.com/upgrade-tool</span><span class="invisible"></span></a></del> <code>https://docs.fortinet.com/upgrade-tool</code></li><li>Please note that the above IP parameters are <del>under attacker control and therefore can be any other IP address.</del> <code>not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking.</code></li><li>edit 2set intf "<del>all</del><code>any</code>"</li><li><code>Please note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice. Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username.</code></li><li><code>CSF requests issue:</code><code>Disable Security Fabric from the CLI:</code><code>Config system csf</code><code>Set status disable</code><code>end</code></li>

Some of these are explained in the changelog, but I wanted to be certain.

Author Public Key

npub14g0mj0fmn0sepfuhp2wupyk7d8xyz7rezpmrx2gfsav9vxlwxypq4xznd6

Seen on

wss://relay.momostr.pink

Show more details

Published at

2025-02-11 23:27:35 UTC

Kind type

1 Short Text Note

Event JSON

{ "id": "5369cc671ffdebf9957cad7e2dbca4ce4e12dc0a1f549e086d76a05b04434c66", "pubkey": "aa1fb93d3b9be190a7970a9dc092de69cc41787910763329098758561bee3102", "created_at": 1739316455, "kind": 1, "tags": [ [ "e", "31fe37ea949b57016a89374d925f929ecde46d422c5a8766798f44cca5e9704a", "", "root", "aa1fb93d3b9be190a7970a9dc092de69cc41787910763329098758561bee3102" ], [ "p", "aa1fb93d3b9be190a7970a9dc092de69cc41787910763329098758561bee3102" ], [ "e", "a31d84564a102bfe3b6736f0b1071b47ac0c0150b5ec8ff30f9c0470d8cf3aa4", "", "reply", "aa1fb93d3b9be190a7970a9dc092de69cc41787910763329098758561bee3102" ], [ "proxy", "https://infosec.exchange/@screaminggoat/113987843242570130", "web" ], [ "p", "0d873008be129d8b236e47f16c6108d533d9b1d17059c8661e9841f633505bf5" ], [ "proxy", "https://infosec.exchange/users/screaminggoat/statuses/113987843242570130", "activitypub" ], [ "L", "pink.momostr" ], [ "l", "pink.momostr.activitypub:https://infosec.exchange/users/screaminggoat/statuses/113987843242570130", "pink.momostr" ], [ "-" ] ], "content": "subtoot about Fortinet zero-day. Those infosec publications are running WILD calling it an exploited zero-day (complete with a backstory) with absolutely no evidence. Are we reading the same security advisory? What the fuck are you guys conjuring up and extrapolating from 2025-02-11: Added CVE-2025-24472 and its acknowledgement?\n\nEDIT: You've heard of \"patch-diffing.\" Get ready for *advisory-diffing*:\nhttps://web.archive.org/web/20250114161659/https://fortiguard.fortinet.com/psirt/FG-IR-24-535 (14 January 2025)\nversus https://fortiguard.fortinet.com/psirt/FG-IR-24-535 (11 February 2025):\u003cli\u003eAn Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module \u003ccode\u003eor via crafted CSF proxy requests.\u003c/code\u003e\u003c/li\u003e\u003cli\u003eFollow the recommended upgrade path using our tool at: \u003cdel\u003e\u003ca href=\"https://docs.fortinet.com/upgrade-tool\" target=\"_blank\" rel=\"nofollow noopener\" translate=\"no\"\u003e\u003cspan class=\"invisible\"\u003ehttps://\u003c/span\u003e\u003cspan class=\"\"\u003edocs.fortinet.com/upgrade-tool\u003c/span\u003e\u003cspan class=\"invisible\"\u003e\u003c/span\u003e\u003c/a\u003e\u003c/del\u003e \u003ccode\u003ehttps://docs.fortinet.com/upgrade-tool\u003c/code\u003e\u003c/li\u003e\u003cli\u003ePlease note that the above IP parameters are \u003cdel\u003eunder attacker control and therefore can be any other IP address.\u003c/del\u003e \u003ccode\u003enot the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking.\u003c/code\u003e\u003c/li\u003e\u003cli\u003eedit 2set intf \"\u003cdel\u003eall\u003c/del\u003e\u003ccode\u003eany\u003c/code\u003e\"\u003c/li\u003e\u003cli\u003e\u003ccode\u003ePlease note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice. Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username.\u003c/code\u003e\u003c/li\u003e\u003cli\u003e\u003ccode\u003eCSF requests issue:\u003c/code\u003e\u003ccode\u003eDisable Security Fabric from the CLI:\u003c/code\u003e\u003ccode\u003eConfig system csf\u003c/code\u003e\u003ccode\u003eSet status disable\u003c/code\u003e\u003ccode\u003eend\u003c/code\u003e\u003c/li\u003e\n\nSome of these are explained in the changelog, but I wanted to be certain.", "sig": "7cd01ce6141193f5483ba867e7c511f95ff2de8b1aea4dcc9b47d2249fb7e1e8a72da61aea83174c69aecd04f38f8af92b7795ea21bb7f0353525686b3057dcc" }