Hello, welcome to the Thursday, September 8, 2016 edition of the Sansanet Storms anders Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

In case you're using our blog list, I updated it earlier today.

Really, the only thing that changed is how I'm actually picking these top 20

slash 24 networks. Other than that, the format and such state the same. So you shouldn't really

see much of a difference here if you just imported. If you do see any problems, please let me

know. Also, if you do see any false positives, please let me know.

And actually, the main reason for this rebuild was to change the architecture, someone

to make it easier to automatically eliminate some common false positives.

Search.org published an advisory regarding 40-net 41 load balancers. Apparently they suffer

from five different vulnerabilities. Only one of these vulnerabilities has been addressed so far.

And according to the advisory, Fortinet has been somewhat non-responsive to these vulnerabilities.

Now, the one vulnerability was addressed in a recent update does allow an authenticated

but non-administrative user to actually obtain PCAP-traffic passing through the device.

The other vulnerabilities do allow, for example, privilege escalation,

where an authenticated again, but a non-privileged user

can execute arbitrary commands, and then there is also a cross-site scripting vulnerability

that of course could also be used for privilege

escalation.

CERT.org did assign a base CVSS metrics of 9.3 to these vulnerabilities.

There isn't really a great workaround for any of them at this point, but what you probably should do is

just limit access to the device and not hand out credentials unless you further audit access

...