The chronicles of Fortinet’s CVE-2020–9294
On April 20 I discovered a 0-day was being sold on a private Russian Cybercriminals forum.
The 0-day, according to the actor selling it, was affecting all versions of Fortimail, granting the user ROOT access to any Fortimail server[1]:
Of course, realizing the potential maliciousness of this exploit I immediately began trying to reach out to Fortinet to make sure they’re aware of this exploit.
After failing to receive an answer and a day has already passed, I decided to use the CTI-League’s slack channel for help as there are over 2000 volunteers, most of them being security researchers in the group:
Simultaneously I received a direct message on Twitter by a friend of mine, @DrFurfagMD, telling me she had contacted the actor selling the exploit, and that the latter is asking her to provide a Fortimail server for him to verify the authenticity of his 0-day:
Problem being that we are not legally allowed to provide him with a target to attack unless it is given to us directly by Fortinet, though until that point our combined efforts to reach out to them failed.
Our plan was to get Fortinet’s approval to provide the actor with a Fortimail server which is actively monitored by Fortinet in order to catch the 0-day as it is being used against the Fortimail server, and then be able to figure what exactly the exploit does and patch it.
It is worth mentioning that by this time, the actor will have already closed the 0-day sale’s thread.
Now going back a bit, almost immediately within writing it, I was referred by 2 different people in the CTI-League to 2 different Fortinet employees, I emailed them both- no answer.
Due to the urgency of the issue I even looked up the email address of Fortinet’s CISO to contact him directly:
I received no reply.
In fact, instead of receiving a reply, someone from the CTI-League told me that Fortinet would AGREE to talk to me, if I sign an NDA:
I explained to him that there is no way in the world I am signing an NDA in order to discuss a PUBLICLY SOLD 0-DAY with the company, I felt it is an attempt to shut me up with minimum consequences.
Fast forward to April 23, I tried to see whether there was any comment made by Fortinet regarding the 0-day and came across this reddit post[2]:
Turns out Fortinet issued an urgent CVE and advisory for the 0-day and didn’t make any public statement about it (as far as I have seen), but even more interestingly, the CVE + advisory were immediately deleted[3,4]:
Fortinet then released the advisory again on April 27, giving details about a Fortimail vulnerability which sounds eerily similar[3] :
Fortinet did not mention whether the 0-day sold on the cybercriminals forum and affecting Fortimail, is the same as CVE-2020–9294 although they were aware of the confusion that will probably cause, which it did according some researchers familiar with the issue that I’ve spoken to.
Now bottom line, I know traded companies like Fortinet have a lot of concerns regarding their public appearance but I feel like transparency in events like that is absolutely mandatory for the sake of protecting enterprises and end-users.
And I am asking these questions:
- Why didn’t Fortinet agree to talk to researchers about that 0-day incident?
- Despite being aware of that 0-day, why haven’t Fortinet acknowledged or referred to it in CVE-2020–9294?
- Should a researcher be asked to sign an NDA in order to discuss a publicly sold 0-day?
- Is CVE-2020–9294 and the aforementioned 0-day the same issue or a different one?
Connect with me — https://www.linkedin.com/in/alon-gal-utb/
References:
