→ 🚀What's New? Explore Lansweeper's Fall 2024 Updates! Fall Launch Blog !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Esben_D
Lansweeper Employee
Lansweeper Employee

Fortinet released critical patches for their FortiOS in response to CVE-2024-21762. Fortinet mentions that the vulnerability is already potentially being exploited in the wild. You can learn more about the vulnerability and grab the audit to list all vulnerable devices in our CVE-2024-21762 blog post.

9 Comments
andrgin1
Engaged Sweeper

Attention: If OID information is missing the report currently shows the FortiOS version as "Safe" while in reality it might not be.

gospina-neb
Engaged Sweeper

I can't get this report to work on my setup.  I have OID informaition collected but cannot get the cloud report to show up.  I can get a version of the on-prem to show me.  What am I missing?

 

captured.png

David_GF
Lansweeper Tech Support
Lansweeper Tech Support

Hi @gospina-neb when was the cloud report run for the last time? You can find that by hovering the mouse over the "play" icon next to the report name

 
 

2024-06-25 09_50_48-Lansweeper and 8 more pages - Work - Microsoft​ Edge.png

 

gospina-neb
Engaged Sweeper

I waited a day, ran the report again, no dice.  Worse, the on-prem query shared doesn't work right.  I have one client running 7.2.8.  On-prem report still shows as "vulnerable".  Is there a way to see what query is being used on the cloud version?

gospina-neb
Engaged Sweeper

Screenshot 2024-06-26 004610.png

Its interesting, if I run all the fortinet reports, some do give me data.  This particular site has FortiGate in HA mode, 4 FortiSwitches, and 4 FortiAPs.

 

 

gospina-neb
Engaged Sweeper

here is the on-prem reports copied directly from the article.  Shows the FortiGate as "Vulnerable" when it isnt.

Screenshot 2024-06-26 005249.png

David_GF
Lansweeper Tech Support
Lansweeper Tech Support

@gospina-neb The Cloud report runs on GraphQL, while the on-prem report runs on SQL. You can see the code by clicking on the Dup[licate Report button:

 

Fortinet does not list Fortigate 70D-POE as compatible with FortiOS 7.2.8: https://docs2.fortinet.com/document/fortigate/7.2.8/fortios-release-notes/760203/introduction-and-su... do you have any source that list it as compatible? 

gospina-neb
Engaged Sweeper

A couple of points:

1) Lansweeper is reporting it as a 70D-POE, it is actually a Fortigate 70F, so not sure how Lansweeper came up with that.  I'll have to manually change that.  Other SNMP systems correctly identify the model.

2) I don't understand why it was brought up in the first place.  The report query never looks at the model number to begin with, it looks at the string given back by the SNMP/OID.  I was able to look at both the on-prem and the cloud reports and found the problem. 

The on-prem has nested if statements that look at each subversion and identifies it as vulnerable or not based on different combinations.  In this case, it basically says "if its 7, then a 2, then it must be greater than 6 and if so, it not vulnerable".  The problem is that all the logic is cancelled out with the last statement that marks everything as 'vulnerable'.  

The cloud report use complete different logic. The last two steps in the report filters based on "Vulnerable" and only shows you the devices that are vulnerable.  My issue here is that the report does not match what is shown as an image on the blog, so my expectations were different.

Here is what my modified report now looks like, mimicking the one shown on the document:

Screenshot 2024-06-26 215246.png

I'm not going to spend time fixing the on-prem report now that I got what I was looking for. 

All that being said, this exercise has been extremely helpful.  Thank you for helping me with this.  My next step is to take this report and somehow make it work in a multi-tenant setup.

David_GF
Lansweeper Tech Support
Lansweeper Tech Support

Glad to read that the issue has been solved 🙂 It´s possible that Lansweeper misidentifies the model based on custom OIDs. We can investigate that if you want, but it would need to be done via a support ticket, as we would need to request OIDs/MIB files and logs/screenshots.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now