Brand ClaimErleben, was verbindet

Advisory 2024-2210 - Fortinet FortiManager: Vulnerability allows code execution

Notice: This advisory is by exception shown completely public. You will regularly receive details on vulnerability information as a customer via your login or through our daily advisory e-mail.
5
Attack probability
high
5
Potential damage
high
remote anonymous attackerExploit available
Date
2024-10-23
Release
2024-10-24 UPDATE

Operating System

  • Appliance

Software

  • Fortinet FortiManager < 7.6.1
  • UPDATE 2024-10-24
  • Fortinet FortiManager < 6.2.13
  • Fortinet FortiManager < 6.4.15
  • Fortinet FortiManager < 7.0.13
  • Fortinet FortiManager < 7.2.8
  • Fortinet FortiManager < 7.4.5

Attack

A remote anonymous attacker can exploit a vulnerability in Fortinet FortiManager in order to execute arbitrary code.

Description

FortiManager Security Management appliances allow to centrally manage any number of Fortinet Network Security devices.

CVE-2024-47575

There is a vulnerability in Fortinet FortiManager in the "FortiGate to FortiManager (FGFM) protocol", which uses the port 541/tcp. Due to a missing authentication, a remote, anonymous attacker with their own Fortigate appliance can register in any FortiManager. As a result, the attacker can exploit this vulnerability in the FGFM protocol daemon (fgfmd) to execute arbitrary code and potentially manipulate other managed Fortinet devices.

CVSSv2 Base Score: 10.0 / Temporal Score: 8.7
AV:N/AC:L/AU:N/C:C/I:C/A:C/E:H/RL:OF/RC:ND
CVSSv3.1 Base Score: 10.0 / Temporal Score: 9.5
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:X

According to several media, this vulnerability as already being exploited by threat actors.

Recommendation

As a workaround, it is recommended to block port 541/tcp for exposed FortiManagers.
https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerability-used-by-nation-state-in-espionage-via-msps-c79abec59773

There is currently no update or patch available to fix this vulnerability.
https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerability-used-by-nation-state-in-espionage-via-msps-c79abec59773

UPDATE 2024-10-24

Fortinet describes a workaround. For further information please consult the vendors advisory.
https://fortiguard.fortinet.com/psirt/FG-IR-24-423

Fortinet provides updates. Please update your installation and see the vendors advisory to find the proper version suitable for your environment.
https://fortiguard.fortinet.com/psirt/FG-IR-24-423

Information

Article on doublepulsar.com dated 2024-10-22
https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerability-used-by-nation-state-in-espionage-via-msps-c79abec59773

UPDATE 2024-10-24

FortiGuard PSIRT Advisory FG-IR-24-423 dated 2024-10-23
https://fortiguard.fortinet.com/psirt/FG-IR-24-423

References

CVE:CVE-2024-47575
FORTINET:FG-IR-24-423
VULNAME:FORTIJUMP

Disclaimer

*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.

Copyright © 1999-2024 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.

The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.