Fortinet Issues Urgent Warning About Critical FortiManager Vulnerability (CVE-2024-47575)
Fortinet has publicly disclosed a critical vulnerability in its FortiManager product, designated as CVE-2024-47575, which has already been exploited in zero-day attacks. This serious flaw allows attackers to access and steal sensitive information, including configuration files, IP addresses, and credentials for managed devices.
Background on the Disclosure
The company began alerting FortiManager customers privately on October 13, sending out advance notification emails that outlined steps to mitigate the issue until a security update became available. However, information about the vulnerability leaked online, with users discussing it on platforms like Reddit and cybersecurity researcher Kevin Beaumont sharing details on Mastodon. Beaumont dubbed the exploit “FortiJump,” indicating its severe implications.
Some users reported that they had experienced attacks weeks prior to Fortinet's notifications. One user commented on Reddit, "We got breached on this one weeks before it hit 'advance notifications'—0-day I guess."
Details of CVE-2024-47575
Fortinet's advisory describes this vulnerability as a "missing authentication for critical function vulnerability [CWE-306]" in the FortiManager fgfmd daemon. This flaw enables remote unauthenticated attackers to execute arbitrary code or commands through specially crafted requests. The vulnerability has a severity score of 9.8 out of 10, underscoring its critical nature.
The exploit requires attackers to first extract a valid certificate from any Fortinet devices they own or have compromised, including FortiManager VMs.
Affected FortiManager Versions
The vulnerability affects multiple versions of FortiManager, and Fortinet has provided recommended solutions:
Version | Affected | Solution |
---|---|---|
FortiManager 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
FortiManager 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
FortiManager 7.2 | 7.2.0 through 7.2.7 | Upgrade to 7.2.8 or above |
FortiManager 7.0 | 7.0.0 through 7.0.12 | Upgrade to 7.0.13 or above |
FortiManager 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
FortiManager 6.2 | 6.2.0 through 6.2.12 | Upgrade to 6.2.13 or above |
FortiManager Cloud 7.6 | Not affected | Not Applicable |
FortiManager Cloud 7.4 | 7.4.1 through 7.4.4 | Upgrade to 7.4.5 or above |
FortiManager Cloud 7.2 | 7.2.1 through 7.2.7 | Upgrade to 7.2.8 or above |
FortiManager Cloud 7.0 | 7.0.1 through 7.0.12 | Upgrade to 7.0.13 or above |
FortiManager Cloud 6.4 | All versions | Migrate to a fixed release |
Currently, only FortiManager versions 7.2.8 and 7.4.5 have been released, with additional updates expected shortly.
Exploitation and Risks
The CVE-2024-47575 vulnerability can be exploited to execute commands and retrieve information from managed devices, potentially giving attackers full control over corporate networks. As Beaumont notes, Managed Service Providers (MSPs) often use FortiManager, making it an attractive target for attackers. Once access to a managed FortiGate firewall is obtained, attackers could navigate back to the FortiManager and access downstream networks.
Mitigation Strategies
If immediate firmware updates are not feasible, Fortinet recommends several mitigation strategies:
- Command Utilization: Use the command
set fgfm-deny-unknown enable
to prevent devices with unknown serial numbers from registering with FortiManager. - Custom Certificate: Create a custom certificate for SSL tunneling to authenticate FortiGate devices with FortiManager.
- IP Allowlisting: Create an allowed list of IP addresses for FortiGate devices permitted to connect.
Detailed instructions for these mitigations can be found in Fortinet's advisory.
Impact of the Exploit
The attacks observed have focused on stealing sensitive files from the FortiManager server, including configuration data and credentials. Fortinet has reported no evidence of malware installation or unauthorized changes to managed FortiGate devices.
However, to help security professionals identify potential breaches, Fortinet has released several Indicators of Compromise (IOCs):
- Unregistered FortiGate devices connected to the FortiManager server under the name "localhost."
- Specific log entries showing unauthorized API commands to add and modify device settings.
- Several IP addresses associated with the attacks, all hosted by the cloud provider Vultr.
Customer Reactions and Fortinet's Communication
While Fortinet has emphasized its commitment to responsible disclosure, some customers have expressed frustration regarding the notification process. Reports indicate that not all customers received advance alerts, forcing them to rely on leaked information.
Fortinet has encouraged customers who believe they missed notifications to verify their contact information with Fortinet or their resellers.
No comments:
Post a Comment