Fortinet follows Cisco in confirming Shadow Broker vuln
Versions after August 2012 are in the clear
Whatever the source and whoever the backers, evidence is mounting that the Shadow Brokers vuln-dump is real: Fortinet has followed Cisco in confirming its place on the list.
Cisco's confirmation said the EPICBANANA and EXTRABACON vulns listed in the drop were real. It had fixed one in 2011, and the other, a new SNMP bug, is on the to-do list with Snort rules providing temporary protection.
Fortinet's advisory has now landed, adding yet more credence to the dump.
Fortinet's vulnerability only exists in pre-August 2012 versions of its FortiGate firmware. Versions 4.3.8 and below; 4.2.12 and below; and 4.1.10 and below are affected by the cookie parser buffer overflow. Versions 5.x are not affected.
“This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over”, the advisory says. If a product can support 5.x firmware, that should be installed; if not, version 4.3.9 or above also fixes it.
Kasperky Lab had already confirmed to El Reg that the archive seemed genuine, but old – it was apparently collected some time in 2013.
That puts the collection of the archive before the White House's 2014 statement that it would quit hoarding vulns unless the NSA could convince it they were vital for intelligence-gathering.
Although the Electronic Frontier Foundation sued the agency in 2014 in the belief it was still keeping zero-days to itself, earlier this month, Columbia University researcher Jason Healey claimed the total number in the hoard these days is around 50. ®