It seems that almost every month there is a PSIRT advisory for a CVE affecting Fortinet SSLVPN. Is it even worth it?
Of course every puts out advisories but not almost monthly and on a single feature.
This component is actively targeted across vendors because it is actively used.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sslvpn
Fortinet has been more vulnerable in recent years.
But this is by no means unique to them. Of course, everyone has to determine what their risk tolerance is going to be…
It is a common target for security researchers as it is widely used.
SSL-VPN is garbage security-wise across the industry, because every vendor insists on using their own solution instead of creating/using an open source one. You don’t hear shit about IPsec getting critical CVEs.
Pulse and PAN have had similar issues, so had SonicWall or Sophos or Barracuda. My take on all of this is: separate remote access from your network device. Personally, I’m a big fan of SASE solutions but we also run on-prem VPN, just on separate boxes and different vendors.
Everything connected to the WAN without a strict ACL to protect it can be attacked. That’s just the way it is. Run EDR, patch fast, that’s all you can do.
Im sure many of the basic mechanisms behind how the SSLVPN connection is processed is most of the problem. It affects pretty much all firmware revisions when a problem is found. As another here has said, its a component thats targeted across all vendors.
I prefer to have my vpn gateway behind an ips capable device which can also provide geo based filtering. I know this is not going to add more value, but it can provide more control
Fortinet is one of the biggest players in the cyber security game. It’s good that the manufacturer fixes security gaps so often and constantly checks its code.This has the highest safety standards. Unfortunately, SSL VPN is a very popular entry point for bad actors.One possibility would also be to establish a connection via Fortinet SASE, then you don’t have to operate SSL VPN on your firewall because it operates in the Fortinet cloud.
IPSec everyday! Never any issues.
This year it’s Fortinet. Last year it was Palo Alto. 2 years ago it was Cisco. Next year it will be something else.
Your only options are:
- SASE/ZTNA
- Use a feature-deficient open-source solution. Less features = less bugs.
- Don’t offer remote access at all
Here’s why I call open source feature deficient: neither OpenVPN nor ocserv (an AnyConnect-compatible SSL VPN server) offer SAML 2.0 support
Here’s another one: I question whether ocserv supports the full industry-standard RADIUS protocol and can process the Access-Challenge RADIUS messages from FortiAuthenticator that prompt you for the rotating code. I intend to spin up a test environment to try it out.
I KNOW that an ASA supports it for AnyConnect, as does a number of other commercial solutions.
VPN is the most exposed firewall feature to the WAN for firewalls so this feature is the primary target for every firewall and which vendor would you chose instead? Just search for their CVEs on VPN first 
Actually i “like” that the bugs are found and patched, i would be more concerned if there are no bugs found for several months for such exposed feature from any vendor - the known / patched bug is no problem, the unknown / not (yet) reported bug is what i’m more scared of…
I think the company is purposefully writing flaws into their software. They probably are working together with the Chinese govt and hacker groups. I also saw a statement made by the CEO of nvidia years ago that basically said Fortinet could not be trusted due to the CEOs ties to china.
https://thehackernews.com/2024/03/cisa-alerts-on-active-exploitation-of.html?m=1
I guess you didn’t bother reading the PIRST blog, which explains that the recent discoveries are a result of an extensive code review following the CVE at the start of the year?
It’s the main gateway to a network so is under constant scrutiny, it’s hardly surprising these things are being found.