Discover Vulnerable Fortinet Devices in Your IT Estate
Fortinet has released firmware updates for several versions of FortiOS and FortiProxy to address a critical heap-based buffer overflow vulnerability in SSL-VPN. The issue could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. There are already reports of this bug being exploited in the wild. The report below will give you an overview of all vulnerable Fortinet devices in your network. You can read more about this bug in the Fortinet RCE Vulnerability blog post.
The version information of your FortiOS installations will not be scanned by default. You will have to add this information to your scan manually using custom OID scanning. You can easily find the correct OID in the MIB library.
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tblAssets.Description,
Subquery1.Label As OID,
Subquery1.Data As Version,
Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) -
1) As [Version (Normalized)],
Case
When tblAssetCustom.Model Like '%FortiProxy%' And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 7 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 2 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 4 Then 'Safe'
When tblAssetCustom.Model Like '%FortiProxy%' And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 7 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 0 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 10 Then 'Safe'
When (tblAssetCustom.Model like '%6[0-9][0-9][0-9]%' or
tblAssetCustom.Model like '%7[0-9][0-9][0-9]%') and
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 7 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 0 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 12 Then 'Safe'
When (tblAssetCustom.Model like '%6[0-9][0-9][0-9]%' or
tblAssetCustom.Model like '%7[0-9][0-9][0-9]%') and
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 6 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 4 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 13 Then 'Safe'
When (tblAssetCustom.Model like '%6[0-9][0-9][0-9]%' or
tblAssetCustom.Model like '%7[0-9][0-9][0-9]%') and
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 6 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 2 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 15 Then 'Safe'
When (tblAssetCustom.Model like '%6[0-9][0-9][0-9]%' or
tblAssetCustom.Model like '%7[0-9][0-9][0-9]%') and
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 6 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 0 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 17 Then 'Safe'
When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 7 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 4 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 0 Then 'Safe'
When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 7 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 2 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 5 Then 'Safe'
When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 7 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 0 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 12 Then 'Safe'
When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 6 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 4 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 13 Then 'Safe'
When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 6 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 2 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 14 Then 'Safe'
When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 3) As int) = 6 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 2) As int) = 0 And
Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v',
Reverse(Subquery1.DataClean)) - 1), 1) As int) >= 17 Then 'Safe'
Else 'Vulnerable'
End As [FortiOS Vulnerable],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select tblOIDData.AssetID,
tblOIDData.Label,
tblOIDData.Data,
SubString(tblOIDData.Data, CharIndex('v', tblOIDData.Data), CharIndex(',',
tblOIDData.Data) - 1 - CharIndex('v', tblOIDData.Data) + Len(',')) As
DataClean
From tblOIDData
Where tblOIDData.Label = 'fg sys version' And
tblOIDData.Data Not Like '%data%') As Subquery1 On Subquery1.AssetID =
tblAssets.AssetID
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblAssetCustom.Manufacturer Like '%fortinet%' And tblState.Statename =
'Active'
Order By tblAssetCustom.Model,
tblAssets.IPAddress,
Subquery1.DataClean
The version information of your FortiOS installations will not be scanned by default. You will have to add this information to your scan manually using custom OID scanning. You can easily find the correct OID in the MIB library.
