CISA Added Fortinet FortiManager Vulnerability to its Known Exploitable Vulnerabilities Catalog (CVE-2024-47575)

Fortinet released a security advisory warning its customers about a FortiManager API vulnerability used in zero-day attacks. Tracked as CVE-2024-47575, the vulnerability has a critical severity rating with a CVSS score of 9.8. Fortinet informed in the advisory that the vulnerability is used to steal sensitive files containing configurations, IP addresses, and credentials for managed devices.

This missing authentication for critical function vulnerability exists in the FortiManager fgfmd daemon. Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code via specially crafted requests.

The advisory informs about the exploitation of the vulnerability in the wild. As per the advisory, “The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials, and configurations of the managed devices.”

CISA acknowledged the active exploitation of CVE-2024-9680 by adding it to its Known Exploited Vulnerabilities Catalog and requesting users patch the flaw before November 13, 2024.

Fortinet FortiManager is a network security management tool that allows users to manage their Fortinet devices centrally. Users can manage a large number of Fortinet devices from a single console. FortiManager uses AI to automate configuration scripting, validation, and IoT vulnerability analytics tasks.

Affected and Fixed Versions

Version Affected Fixed
FortiManager 7.6 7.6.0 Upgrade to 7.6.1 or above
FortiManager 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above
FortiManager 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above
FortiManager 7.0 7.0.0 through 7.0.12 Upgrade to 7.0.13 or above
FortiManager 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
FortiManager 6.2 6.2.0 through 6.2.12 Upgrade to 6.2.13 or above
FortiManager Cloud 7.6 Not affected Not Applicable
FortiManager Cloud 7.4 7.4.1 through 7.4.4 Upgrade to 7.4.5 or above
FortiManager Cloud 7.2 7.2.1 through 7.2.7 Upgrade to 7.2.8 or above
FortiManager Cloud 7.0  7.0.1 through 7.0.12 Upgrade to 7.0.13 or above
FortiManager Cloud 6.4 6.4 all versions Migrate to a fixed release

 

Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer):

config system global
set fmg-status enable
end

and at least one interface with the fgfm service enabled are also impacted by this vulnerability.

For more information, please refer to the Fortinet Security Advisory (FG-IR-24-423). 

Workarounds

  1. For FortiManager versions 7.0.12 or above, 7.2.5 or above, and 7.4.3 or above (but not 7.6.0), prevent unknown devices from attempting to register:
config system global
(global)# set fgfm-deny-unknown enable
(global)# end
  1. For FortiManager versions 7.2.0 and above, users may add local-in policies to allow the IP addresses of FortiGates that are allowed to connect.
  2. For 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above, it is also possible to use a custom certificate which will mitigate the issue:
config system global
set fgfm-ca-cert
set fgfm-cert-exclusive enable

end

And install that certificate on FortiGates.

Note: For FortiManager versions 6.2, 6.4, and 7.0.11 and below, please upgrade to one of the versions above and apply the above workarounds.

Qualys Detection

Qualys customers can scan their devices with QID 44450 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://fortiguard.fortinet.com/psirt/FG-IR-24-423

Leave a Reply

Your email address will not be published. Required fields are marked *