THREAT LEVEL - HIGH
24-10-2024
New Critical FortiManager Vulnerability
Threat Level Description
IthacaLabs has maintained the Threat Level: High – An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.
Description
We have observed that a critical zero-day vulnerability affecting FortiManager network management solution has been identified.
A remote unauthenticated attacker, by exploiting this issue, could execute arbitrary code and exfiltrate sensitive files containing configurations, IP addresses, and credentials for managed devices.
This vulnerability, tracked as CVE-2024-47575, also known as FortiJump, is rooted in the FortiGate to FortiManager (FGFM) protocol.
Fortinet created the “FortiGate to FortiManager Protocol” (FGFM) to allow companies to easily deploy FortiGate firewall devices and have them register with a remote FortiManager server so they can be managed from a central location.
The issue arises from a missing authentication for a critical function [CWE-306] in the FortiManager fgfmd daemon that could allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
Note that this vulnerability is exploited in the wild for a while.
Identified actions of an attack, exploiting this vulnerability, has shown that the exploitation has been automated via a script in order to exfiltrate various files from the FortiManager, which contained the IPs, credentials and configurations of the managed devices.
Affected Products:
- FortiManager 7.6.0
- FortiManager 7.4.0 through 7.4.4
- FortiManager 7.2.0 through 7.2.7
- FortiManager 7.0.0 through 7.0.12
- FortiManager 6.4.0 through 6.4.14
- FortiManager 6.2.0 through 6.2.12
- FortiManager Cloud 7.4.1 through 7.4.4
- FortiManager Cloud 7.2 (all versions)
- FortiManager Cloud 7.0 (all versions)
- FortiManager Cloud 6.4 (all versions)
The advisory indicates FortiManager Cloud 7.6 is not affected.
Recommendation(s):
You should proceed immediately and apply the relevant security patches provided by the vendor.
FortiManager customers should update to a supported, fixed version on an emergency basis, without waiting for a regular patch cycle to occur.
A workaround is also available for some versions, if it is not possible to install the latest firmware update at this time:
- Utilize the set fgfm-deny-unknown enable command to prevent devices with unknown serial numbers from registering to the FortiManager.
- Create a custom certificate for use when creating the SSL tunnel and authenticating FortiGate devices with FortiManager.
- Create an allowed list of IP addresses for FortiGate devices that are allowed to connect.
However, Fortinet warns that if a threat actor is able to obtain this certificate, then it could still be used to connect FortiGate devices and exploit the flaw.
Fortinet’s advisory also includes a list of indicators of compromise (IOCs) that FortiManager customers should look for in their environments.
You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.
References:
