Fortinet CVE-2024-21762

Attention: If OID information is missing the report currently shows the FortiOS version as "Safe" while in reality it might not be.

I can't get this report to work on my setup.  I have OID informaition collected but cannot get the cloud report to show up.  I can get a version of the on-prem to show me.  What am I missing?

Hi @gospina-neb when was the cloud report run for the last time? You can find that by hovering the mouse over the "play" icon next to the report name

I waited a day, ran the report again, no dice.  Worse, the on-prem query shared doesn't work right.  I have one client running 7.2.8.  On-prem report still shows as "vulnerable".  Is there a way to see what query is being used on the cloud version?

Its interesting, if I run all the fortinet reports, some do give me data.  This particular site has FortiGate in HA mode, 4 FortiSwitches, and 4 FortiAPs.

here is the on-prem reports copied directly from the article.  Shows the FortiGate as "Vulnerable" when it isnt.

@gospina-neb The Cloud report runs on GraphQL, while the on-prem report runs on SQL. You can see the code by clicking on the Dup[licate Report button:

Fortinet does not list Fortigate 70D-POE as compatible with FortiOS 7.2.8: https://docs2.fortinet.com/document/fortigate/7.2.8/fortios-release-notes/760203/introduction-and-su... do you have any source that list it as compatible? 

A couple of points:

1) Lansweeper is reporting it as a 70D-POE, it is actually a Fortigate 70F, so not sure how Lansweeper came up with that.  I'll have to manually change that.  Other SNMP systems correctly identify the model.

2) I don't understand why it was brought up in the first place.  The report query never looks at the model number to begin with, it looks at the string given back by the SNMP/OID.  I was able to look at both the on-prem and the cloud reports and found the problem. 

The on-prem has nested if statements that look at each subversion and identifies it as vulnerable or not based on different combinations.  In this case, it basically says "if its 7, then a 2, then it must be greater than 6 and if so, it not vulnerable".  The problem is that all the logic is cancelled out with the last statement that marks everything as 'vulnerable'.  

The cloud report use complete different logic. The last two steps in the report filters based on "Vulnerable" and only shows you the devices that are vulnerable.  My issue here is that the report does not match what is shown as an image on the blog, so my expectations were different.

Here is what my modified report now looks like, mimicking the one shown on the document:

I'm not going to spend time fixing the on-prem report now that I got what I was looking for. 

All that being said, this exercise has been extremely helpful.  Thank you for helping me with this.  My next step is to take this report and somehow make it work in a multi-tenant setup.

Glad to read that the issue has been solved 🙂 It´s possible that Lansweeper misidentifies the model based on custom OIDs. We can investigate that if you want, but it would need to be done via a support ticket, as we would need to request OIDs/MIB files and logs/screenshots.