Fortinet has confirmed details of a critical security flaw affecting FortiManager that is actively exploited in the wild.
Tracked as CVE-2024-47575 (CVSS Score: 9.8), the vulnerability is also known as FortiJump and is rooted in FortiGate for FortiManager (FGFM) protocol.
“Lack of Authentication for Critical Feature Vulnerability (CWE-306) in the FortiManager fgfmd daemon could allow a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests,” the company said in a statement. said in consultation on Wednesday.
The vulnerability affects FortiManager versions 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. This also affects older FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E that have at least one interface with the fgfm service enabled and the following configuration on –
config system global set fmg-status enable end
Fortinet has also provided three workarounds for the flaw depending on the currently installed version of FortiManager −
- FortiManager 7.0.12 or later, 7.2.5 or later, 7.4.3 or later: Prevent unknown devices from trying to register
- FortiManager version 7.2.0 and higher: Add the local enable policy to the whitelist of FortiGates IP addresses that are allowed to connect
- FortiManager 7.2.2 and above, 7.4.0 and above, 7.6.0 and above: Use a custom certificate
According to runZero, successful exploitation requires attackers possess a valid Fortinet device certificate, although it is noted that such certificates can be obtained from an existing Fortinet device and reused.
“The identified actions of this attack in the wild consisted of automating via a script the hijacking of various files from the FortiManager containing the IP addresses, credentials and configurations of managed devices,” the company said.
However, it stressed that the vulnerability was not used to deploy malware or backdoors on compromised FortiManager systems, and there is no evidence of database or connection modification.
This development prompted the US Cybersecurity and Infrastructure Security Agency (CISA). to add defect of its known vulnerabilities used (KEV) catalog that requires federal agencies to apply the corrections by November 13, 2024.
Fortinet also shared the below statement with The Hacker News –
After this vulnerability was discovered (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is consistent with our processes and best practices for responsible disclosure to allow customers to strengthen their security posture before guidance is publicly released to a wider audience, including threat actors. We have also published a related public advisory (FG-IR-24-423) reiterating mitigation recommendations, including workarounds and patch updates. We encourage customers to follow the recommendations for implementing workarounds and fixes and continue to monitor our recommendations page for updates. We continue to coordinate with relevant international government agencies and industry threat organizations as part of our response.
