Fortinet hasn’t faced an ideal start to February so far, with the cyber security giant confirming three critical vulnerabilities and facing criticism over claims about a three million-strong toothbrush botnet wreaking havoc on a Swiss firm.
To get the toothbrush debacle out of the way first, on 30 January 2024 Swiss news outlet Aargeuer Zeitung published a story including an interview with a Fortinet employee discussing a hypothetical example of IoT-enabled toothbrushes being hacked.
The interview described how these toothbrushes could be infected with Java-based malware and used as a 3 million strong botnet to launch a DDoS attack on a domestic company.
Things took a turn when a number of cyber security outlets started picking this story up and warning readers about a bot army of internet connected toothbrushes that could shut down their business.
But the toothbrush anecdote was only hypothetical, according to Fortinet, who blamed a translation error for misleading non-German speaking journalists who reported the story earnestly.
The author of the original story pushed back on this claim, however, telling another cyber security outlet that Fortinet had specifically described the toothbrush DDoS attacks as real.
The original text in which the toothbrush attack was presented as something that actually happened in the real world was submitted to Fortinet for review, and there was no objection forthcoming from the security company, Aargeuer Zeitung said.
True or not, the disarray created by this fiasco was only exacerbated by the disclosure of three legitimate critical vulnerabilities in the space of a week.
When it rains it pours, and Fortinet was drenched
Around the time that Fortinet was embroiled in a war of words with Aargeuer Zeitung, two critical RCE vulnerabilities affecting the security company’s FortiSIEM system were disclosed, each assigned severity scores of 10 on the CVSS scale.
The high severity assigned to these vulnerabilities reflects the fact they could be exploited by an unauthorized threat actor using crafted API requests to execute commands, according to an advisory.
Fortinet’s disclosure of these vulnerabilities was almost as confusing as the PR disaster that unfolded as a result of the toothbrush botnet story.
Initially, the company claimed the CVE disclosures were a mistake and the vulnerabilities were duplicates of an older CVE disclosed in October 2023.
But it soon became clear the two vulnerabilities were real, and were bypasses of the 2024 CVE they were confused with. Fortinet quickly backtracked and acknowledged the vulnerabilities as variants of the original flaw.
The original flaw was patched in a previous release of FortiSIEM, and the two new flaws have been addressed in version 7.1.2.
Thursday 8 February then saw the disclosure of a third critical vulnerability affecting the FortiOS software, with a score of 9.8 on the CVSS scale.
CVE-2024-21762 is described as an out-of-bounds write vulnerability and could allow a remote unauthenticated attacker to execute arbitrary code using engineered HTTP requests.
Fortinet’s advisory disclosing the flaw warned the flaw is already potentially being exploited in the wild. The following day (9 February), CISA added the flaw to its catalog of known exploited vulnerabilities, confirming this poses a real threat to exposed IT systems.
The CISA guidance warned the flaw could put federal agencies at risk, stating “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
Fortinet’s advisory disclosing the vulnerability advises businesses to upgrade their FortiOS software as soon as possible, and admins can follow the recommended upgrade path using their upgrade tool.
The cyber security company, which has traditionally boasted a solid reputation in the industry, has been putting out fires as quickly as they can ignite over the last 10 days.
