2:30pm, 24 October 2024
TLP Rating:
Zero-day vulnerability affecting FortiManager
A missing authentication for critical function in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests to port TCP/541. CVE-2024-47575
For most FortiManager applications, an upgrade to the latest version is required.
What's happening
Systems affected
Fortimanager:
- FortiManager 7.6.0
- FortiManager 7.4.0 through 7.4.4
- FortiManager 7.2.0 through 7.2.7
- FortiManager 7.0.0 through 7.0.12
- FortiManager 6.4.0 through 6.4.14
- FortiManager 6.2.0 through 6.2.12
- FortiManager Cloud 7.4.1 through 7.4.4
- FortiManager Cloud 7.2.1 through 7.2.7
- FortiManager Cloud 7.0.1 through 7.0.12
- FortiManager Cloud 6.4 all versions
Note: FortiManager Cloud 7.6 is not affected.
Old FortiAnalyzer models (1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E) may also be vulnerable in certain configurations.
What this means
Listed FortiManager versions are vulnerable to CVE-2024-47575.
We are aware of active exploitation of this vulnerability. We recommend organisations inspect devices for suspicious activity, and to consider the potential risk and exposure of sensitive information from these devices.
Consider rebuilding the affected devices with new credentials and using IP filtering to restrict access to these services.
What to look for
How to tell if you're at risk
If you are running FortiManager within the listed version range.
What to do
Prevention
FortiManager installations needs to be upgraded to:
- FortiManager 7.6.1 or above
- FortiManager 7.4.5 or above
- FortiManager 7.2.8 or above
- FortiManager 7.0.13 or above
- FortiManager 6.4.15 or above
- FortiManager 6.2.13 or above
- FortiManager Cloud 7.4.5 or above
- FortiManager Cloud 7.2.8 or above
- FortiManager Cloud 7.0.13 or above
- FortiManager Cloud 6.4 - Migrate to a fixed release
Mitigation
There are three mitigations depending on the version of FortiManager you are using.
1. For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0), prevent unknown devices to attempt to register:
config system global
(global)# set fgfm-deny-unknown enable
(global)# end
Warning: With this setting enabled, be aware that if a FortiGate's SN is not in the device list, FortiManager will prevent it from connecting to register upon being deployed, even when a model device with PSK is matching.
2. Alternatively, for FortiManager versions 7.2.0 and above, you may add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.
Example:
config system local-in-policy
edit 1
set action accept
set dport 541
set src
next
edit 2
set dport 541
next
end
3. For 7.2.2 and above, 7.4.0 and above, 7.6.0 and above it is also possible to use a custom certificate which will mitigate the issue:
config system global
set fgfm-ca-cert
set fgfm-cert-exclusive enable
end
And install that certificate on FortiGates. Only this CA will be valid, this can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel.
Note: For FortiManager versions 6.2, 6.4, and 7.0.11 and below, please upgrade to one of the versions above and apply the above workarounds.
More information
Fortinet advisory:
PSIRT | FortiGuard Labs External Link
Fortinet upgrade path tool:
Fortinet Document Library | Upgrade Path Tool External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.