Vulnerabilities in Fortinet products have been frequent, and based on sheer numbers it’s easy to condemn Forti-OS buggy insecure crappy piece of software. Palo Alto had its moment in the spotlight too when struggling with a new zero-day critical vulnerability. I was curious to find out if Fortinet is really so much worse than competitors, and why would it be.
Numbers of CVEs. Public CVE statistics are available but comparison is hard because of many different parameters and dimensions. By numbers, Fortinet has far more public CVEs than Palo Alto and Checkpoint. For example, in 2023 Fortinet had 198 CVEs, Palo Alto 20, and Checkpoint 2 according to CVEdetails.com. That’s huge decade-scale gaps between vendors.
- Fortinet https://www.cvedetails.com/vulnerability-list/vendor_id-3080/Fortinet.html
- Palo Alto https://www.cvedetails.com/vulnerability-list/vendor_id-12836/Paloaltonetworks.html
- Checkpoint https://www.cvedetails.com/vulnerability-list/vendor_id-136/Checkpoint.html
Stack.watch lists about the same numbers for vulnerabilities, but also average CVSS scores by vendor. In 2023 Fortinet had 195 vulnerabilities, Palo Alto 15, and Checkpoint 3. Interestingly, Checkpoint had the highest average score in 2023. Otherwise average scores for all vendors round to level 6-7 quite smoothly.
- Fortinet: https://stack.watch/product/fortinet/
- Palo Alto: https://stack.watch/product/paloaltonetworks/
- Checkpoint: https://stack.watch/product/checkpoint/
Exploitation risk. Each vulnerability has CVSS and EPSS ratings that classify CVE criticality and risk of exploitation. These ratings don’t match each other, so vulnerability can be critical but exploit probability is still rather low. Likewise, a lower CVSS score can lead to a high EPSS score and high risk. A year-old Phoenix Security’s analysis tells that highly exploitable vulnerabilities tend to have EPSS 0,7 and higher. CISA KEV database lists known active mass exploits of vulnerabilities that have public CVE and clear remediation defined. KEV is just one exploit database and EPSS rating doesn’t match it in all cases, but they are inline so that both reflect the actual risk. Currently, KEV lists 13 Fortinet, 5 Palo Alto, and 0 Checkpoint CVEs which are exploited in the wild. Fortinet still leads, but the numbers are much more even.
Vulnerability types and impact. CVEdetails.com also provides heat maps of vulnerability and impact type categorizations. Fortinet has the biggest problems with XSS, memory corruptions, overflows, directory traversal, and input validation. Palo Alto has the same, but Checkpoint has only a few single memory corruptions, file inclusions, and input validations. Looking at the years, Palo Alto was impacted mostly during 2020-2022 and Checkpoint 2019-2021. Recently they both made progress to fewer vulnerabilities, be it a change in coding, operating, reporting practices, or something else. Fortinet has been badly impacted since 2019, except 2022 which was a better year. Looks like Fortinet has bigger problems than its competitors.
- Fortinet https://www.cvedetails.com/vendor/3080/Fortinet.html
- Palo Alto https://www.cvedetails.com/vendor/12836/Paloaltonetworks.html
- Checkpoint https://www.cvedetails.com/vendor/136/Checkpoint.html
Vulnerability management practices. It is common knowledge that these three vendors operate differently when disclosing vulnerabilities. Fortinet is known to be highly open and transparent actively looking for vulnerabilities in their products and voluntarily announcing them to public knowledge quickly. Fortinet also often names researchers and provides a workaround in the announcement. Checkpoint is probably quite the opposite patching vulnerabilities silently in the background without letting the public know about these too much. Vulnerability management is possibly more reactive. Palo Alto is likely somewhere in between these two. Vendors are profiling themselves by how secure and stable their products are and like to use CVEs in marketing and sales pitches against each other.
Code quality. One thing in the background is software architecture, quality, and development and release practices. Forti-OS code probably has problems now because some vulnerabilities are not novel but more like repeating the same issues from the early 2000s. SSLVPN component is the proprietary implementation and pain point, especially for Fortinet, but for other vendors too.
There are also code QA issues. Feels that Fortinet quite often releases buggy code that generates other issues when patching vulnerabilities. Some issues are known though. Release documentation could be better from all vendors to prevent further damages. Palo Alto and Checkpoint have bugs too, although they are commonly considered to have more quality software. The consequence of patching vulnerabilities means upgrading devices more often. That’s more work and probably more problems too. But technology changes fast and no product can be so stable that it wouldn’t need regular updates.
Underlying OS. All three operating systems are based on Linux. PAN-OS is Fedora, Gaia is RHEL, and Forti-OS is some modified Linux kernel. That could be one reason why Forti-OS would be harder to maintain, who knows? Palo Alto lists all OSS components used in PAN-OS, Fortinet and Checkpoint don’t, or information is hard to find. Note, that it’s not uncommon for vendors to use end-of-life software components in their OS. The vendor’s reasoning for this to be okay is that their OS is so locked that exploits don’t pose a risk.
Number of products. Company history, acquisitions, and product evolution may affect software complexity too. Checkpoint is the oldest established in 1993. The platform has gone through some major changes on the path to the current Gaia. Fortinet started in 2000 and Palo Alto in 2005, and they have been more solid on their platforms. All three vendors have made about the same number of acquisitions. Palo Alto is the youngest, so they have had the shortest time to integrate all acquisitions and products. All these company and product mergers may affect software development negatively.
Notably, Fortinet has a very wide product portfolio of different networking and security products which probably means Forti-OS is more complex and harder to maintain. CVEdetails.com lists 258 Fortinet products, 61 Palo Alto products, and 64 Checkpoint products. Anyway, all vendors face this complicated messy software train problem somewhere when more platforms and features are introduced to the same software code.
Number of devices. Fortinet is the number one in global firewall units shipped. It has sold cumulatively at least 12 million units out to the field. Palo Alto and Checkpoint numbers are secret. That’s why Fortinet’s exposure is high. Fortinet also sells a lot of smaller devices that are used in critical infrastructure in many areas. Fortinet and Palo Alto are also US DoD-approved vendors, but Checkpoint is not. Therefore Fortinet and Palo Alto are more likely targets for nation-state hackers and zero days. By device amounts and types, Fortinet is a high-value target. Vulnerabilities are found more often on these valuable targets.
Conclusion
Reality is complicated and has many dimensions. Fortinet has clearly more public CVEs than competitors. That’s partly because they quickly, transparently, and proactively manage vulnerabilities in their products. It’s a good thing and we have to respect that. Same time frequent vulnerability announcements and software patches generate hustle in the media and community. Forti-devices are at risk, but it varies how much.
The second thing is Fortinet’s pervasive presence in the networks and critical infrastructure which makes it an attractive target for hackers. The more software gets hacked, the more vulnerabilities are usually found. Fortinet’s software quality might have issues, but I’m not sure if it’s notably distinct from other vendors.
This is just pondering without hard facts and it’s difficult to know what happens behind vendor’s curtains. You can read certain messages from public discussions about vendors, their products, and practices. In the end, you can’t count on that too much. One thing is sure: vulnerabilities are here to stay, and we need to know and address them quickly and easily. So keep updating!