Release mode: Forced release, vendor has not replied.
Ref : TZO-112009 - Fortinet Generic Evasion
Vendor : http://www.fortinet.com
Security notification reaction rating : Catastrophic

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html


Affected products :
- t.b.a (Vendor has not reacted, please see below)

As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive and that the test environment mimics the production environment.

I. Background

Quote: "Fortinet is a leading provider of network security appliances and the leader of the unified threat management (UTM) market worldwide. Fortinet's award-winning portfolio of security gateways, subscription services, and complementary products delivers the highest level of network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while reducing total cost of ownership and providing a flexible, scalable path for expansion. "


II. Description
The parsing engine can be bypassed by a specially crafted and formatted archive file. Details are currently witheld due to other vendors that are in process of deploying patches.

A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Fortinet is given a grace period of two (2) weeks to reply to my notification. Failure to do so will result in POC being released in two (2) weeks.
Fortinet (as well as others) is advised to leave a specific security contact at [1] in order to simplify getting in contact with them.

As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the archive. There is no inspection of the content at all.


IV. Disclosure time line

  • 09/03/2009 Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took the industry standard security contacts addresses secure@ and security@.

    No reply.
  • 14/03/2009 : Resending specifying this is the last attempt to disclose responsibly.

    No reply.
  • 15/04/2009 : Fortinet published advisories for third party vendors with the address dontreply-secresearch@fortinet.com, used secresearch@fortinet.com to resend advisory.

    No reply.
  • 17/04/2009 : Last attempt to contact, information sent to info@foritnet.com

    No reply, as of time of publishing
  • 17/04/2009 : Release of this advisory and begin of grace period.

  • 17/04/2009 : Fortinet replied instantly, investigation on going

[1] http://osvdb.org/vendor/1/Fortinet%20Inc_

1 comments

FortiGuard Global Security Research Team said... @ 17 April, 2009 21:26

We did receive your note sent to our security research team on April 15th and responded on that day to continue communications. We sent another response as we definitely want to properly address this matter, and appreciate your responsible disclosure path. Please inform secresearch@fortinet.com for future communications. Thank you.

Post a Comment