Fortinet released a security advisory warning its customers about a FortiManager API vulnerability used in zero-day attacks. Tracked as CVE-2024-47575, the vulnerability has a critical severity rating with a CVSS score of 9.8. Fortinet informed in the advisory that the vulnerability is used to steal sensitive files containing configurations, IP addresses, and credentials for managed devices.
This missing authentication for critical function vulnerability exists in the FortiManager fgfmd daemon. Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code via specially crafted requests.
The advisory informs about the exploitation of the vulnerability in the wild. As per the advisory, “The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials, and configurations of the managed devices.”
CISA acknowledged the active exploitation of CVE-2024-9680 by adding it to its Known Exploited Vulnerabilities Catalog and requesting users patch the flaw before November 13, 2024.
Fortinet FortiManager is a network security management tool that allows users to manage their Fortinet devices centrally. Users can manage a large number of Fortinet devices from a single console. FortiManager uses AI to automate configuration scripting, validation, and IoT vulnerability analytics tasks.
Affected and Fixed Versions
| Version | Affected | Fixed |
| FortiManager 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.7 | Upgrade to 7.2.8 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.12 | Upgrade to 7.0.13 or above |
| FortiManager 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
| FortiManager 6.2 | 6.2.0 through 6.2.12 | Upgrade to 6.2.13 or above |
| FortiManager Cloud 7.6 | Not affected | Not Applicable |
| FortiManager Cloud 7.4 | 7.4.1 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiManager Cloud 7.2 | 7.2.1 through 7.2.7 | Upgrade to 7.2.8 or above |
| FortiManager Cloud 7.0 | 7.0.1 through 7.0.12 | Upgrade to 7.0.13 or above |
| FortiManager Cloud 6.4 | 6.4 all versions | Migrate to a fixed release |
Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer):
config system global set fmg-status enable end
and at least one interface with the fgfm service enabled are also impacted by this vulnerability.
For more information, please refer to the Fortinet Security Advisory (FG-IR-24-423).
Workarounds
- For FortiManager versions 7.0.12 or above, 7.2.5 or above, and 7.4.3 or above (but not 7.6.0), prevent unknown devices from attempting to register:
config system global (global)# set fgfm-deny-unknown enable (global)# end
- For FortiManager versions 7.2.0 and above, users may add local-in policies to allow the IP addresses of FortiGates that are allowed to connect.
- For 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above, it is also possible to use a custom certificate which will mitigate the issue:
config system global set fgfm-ca-cert set fgfm-cert-exclusive enable end
And install that certificate on FortiGates.
Note: For FortiManager versions 6.2, 6.4, and 7.0.11 and below, please upgrade to one of the versions above and apply the above workarounds.
Qualys Detection
Qualys customers can scan their devices with QID 44450 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://fortiguard.fortinet.com/psirt/FG-IR-24-423
