cR0w 🏴☠️Another Monday, another EITW Fortinet 0day. This is the song that never ends.
AA@cR0w "Fortinet Rushes Emergency Fixes for Exploited Zero-Day" https://www.securityweek.com/fortinet-rushes-emergency-fixes-for-exploited-zero-day/
Johnley@cR0w I, infosecs only fortinet enjoyer, can’t even defend this one.
I’ve yet to decompile the hotfix, but the fact that they didn’t at least update the installer in the support portal means it’s trivially easy to find what they fixed.
The shell script strips out a bunch of headers from their Apache config. Headers that made no sense being permitted there.
All this while just last month they’re gloating about how they’re using AI in support functions and in writing code at Accelerate in Vegas.
@johnley There's also this: https://www.fortinet.com/blog/business-and-technology/cisa-secure-by-design-pledge-in-practice
Not that Fortinet is the only guilty one. The whole list makes me shake my head.