Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

J13224
New Contributor III

Fortigate not protecting from CVE-2022-41080 MS.Exchange.Server.OWA.Remote.Code.Execution attacks

Why is a level 5 vulnerability like CVE-2022-41080 MS.Exchange.Server.OWA.Remote.Code.Execution STILL set as pass in the IPS database?

 

Thousands of Exchange servers are vulnerable, and Fortinet has the necessary protections but is just sitting on it not activating the signature by default.

 

Are your customers expected to be security experts monitoring all the security feeds so that they can manually override the dangerous Fortinet IPS pass behavior for critical security risks?

 

4 REPLIES 4
gfleming
Staff
Staff

There could be myriad of reasons certain signatures are left with defaults of 'pass'.

 

Fortinet cannot dictate a one-size-fits-all approach here. So yes, most of the onus is on the network and security administrators to determine the IPS rules are a fit for their specific environment.

 

If you want to default block all level 5 IPS rules you are free to create a new IPS sensor and block all level 5 rules. It is trivial to do this.

 

gfleming_0-1674775030228.png

 

Cheers,
Graham
J13224
New Contributor III

I have many FortiGates in production. I really value the product a lot and don't want to bust your chops but I have to.  This is a critical vulnerability.   There is no excuse for the default not to be blocked CVE-2022-41080.  100% of Critical vulnerabilities and 97% if High risk vulnerabilities are Blocked on Fortigate IPS by default. 

 

The other IPS venders I looked at all protect from CVE-2022-41080 by default.

That includes Palo Alto, Check Point, and even Snort the free IPS.

 

If I were running any of your competitor's products, including even the free IPS my clients and I would be protected from this by default.

 

What is it about a Critical in the wild Exchange vunerability on one of the most widely deployed mail servers worldwide that FortiGuard considers less important than 99% of its other IPS protected assets. Just to highlight how disorganized Fortinet is with handling CVE-2022-41080.  It is rightly classified as a critical venerability in the public FortiGuard Threat Encyclopedia but only high in the IPS database itself.

I should not wake up in the morning discover a critical vunerability of this significance and panic because I don't trust Fortinet. I pay Fortinet/Fortiguard to be the security expert so I do not have to worry about these vulnerabilities with simple IPS remediations.

 

The fact is right now, today Fortinet products are the least safe option among the competition to protect a Microsoft/Exchange environment.  And it's so unfortunate because Fortinet has all the expertise & technology inplace to protect it's customers.  Yet simple poor decisions have created this situation.

gfleming

Understand your stance here but this forum isn't the place to figure out Fortiguard's decision-making when it comes to default IPS signature actions.

 

Also, it's important to note the IPS signatures shouldn't necessarily be a first-line defense for securing your servers. Ideally you have installed the security updates in the 1.5 months the CVE was released and the IPS sginatures were made available, during which time Fortinet was providing zero protection regardless of IPS signature settings. Hopefully you knew of this security vulnerability before you knew about Fortinet's IPS signature.

 

IPS signatures are great when you know you have a vulnerable system and can take a proactive approach to defending it. This is useful in cases for example where you can't upgrade a system for whatever reason but need it protected. Note all of these steps involve proactive involvement in network security.

 

If you just want to assign all signatures to your servers and hope for the best, that's fine too but as you noted you will be left to the whim of FortiGuard's decision-making process which you nor I have any real insight into.

 

When you wake up in the morning and discover a critical Microsoft vulnerability you shouldn't necessarily be trusting Fortinet to fix it for you. You should be looking to Microsoft, the vendor of your product  and installing their security updates ASAP. Fortinet and other security vendors can certainly help in a layered approach or specific approaches to securing the infrastructure but in this case the onus is primarily on the security team and product vendor to do the initial threat mitigation.

Cheers,
Graham
abarushka
Staff
Staff

Hello,

 

Default action was changed on 2023-02-06. Please find information about the signature below:

https://www.fortiguard.com/encyclopedia/ips/52448

FortiGate