FortiManager Zero-Day Exploit: Fortinet Issues Urgent Security Warning

 



Fortinet Issues Urgent Warning About Critical FortiManager Vulnerability (CVE-2024-47575)

Fortinet has publicly disclosed a critical vulnerability in its FortiManager product, designated as CVE-2024-47575, which has already been exploited in zero-day attacks. This serious flaw allows attackers to access and steal sensitive information, including configuration files, IP addresses, and credentials for managed devices.


Background on the Disclosure

The company began alerting FortiManager customers privately on October 13, sending out advance notification emails that outlined steps to mitigate the issue until a security update became available. However, information about the vulnerability leaked online, with users discussing it on platforms like Reddit and cybersecurity researcher Kevin Beaumont sharing details on Mastodon. Beaumont dubbed the exploit “FortiJump,” indicating its severe implications.

Some users reported that they had experienced attacks weeks prior to Fortinet's notifications. One user commented on Reddit, "We got breached on this one weeks before it hit 'advance notifications'—0-day I guess."

Details of CVE-2024-47575

Fortinet's advisory describes this vulnerability as a "missing authentication for critical function vulnerability [CWE-306]" in the FortiManager fgfmd daemon. This flaw enables remote unauthenticated attackers to execute arbitrary code or commands through specially crafted requests. The vulnerability has a severity score of 9.8 out of 10, underscoring its critical nature.

The exploit requires attackers to first extract a valid certificate from any Fortinet devices they own or have compromised, including FortiManager VMs.

Affected FortiManager Versions

The vulnerability affects multiple versions of FortiManager, and Fortinet has provided recommended solutions:

VersionAffectedSolution
FortiManager 7.67.6.0Upgrade to 7.6.1 or above
FortiManager 7.47.4.0 through 7.4.4Upgrade to 7.4.5 or above
FortiManager 7.27.2.0 through 7.2.7Upgrade to 7.2.8 or above
FortiManager 7.07.0.0 through 7.0.12Upgrade to 7.0.13 or above
FortiManager 6.46.4.0 through 6.4.14Upgrade to 6.4.15 or above
FortiManager 6.26.2.0 through 6.2.12Upgrade to 6.2.13 or above
FortiManager Cloud 7.6Not affectedNot Applicable
FortiManager Cloud 7.47.4.1 through 7.4.4Upgrade to 7.4.5 or above
FortiManager Cloud 7.27.2.1 through 7.2.7Upgrade to 7.2.8 or above
FortiManager Cloud 7.07.0.1 through 7.0.12Upgrade to 7.0.13 or above
FortiManager Cloud 6.4All versionsMigrate to a fixed release

Currently, only FortiManager versions 7.2.8 and 7.4.5 have been released, with additional updates expected shortly.

Exploitation and Risks

The CVE-2024-47575 vulnerability can be exploited to execute commands and retrieve information from managed devices, potentially giving attackers full control over corporate networks. As Beaumont notes, Managed Service Providers (MSPs) often use FortiManager, making it an attractive target for attackers. Once access to a managed FortiGate firewall is obtained, attackers could navigate back to the FortiManager and access downstream networks.

Mitigation Strategies

If immediate firmware updates are not feasible, Fortinet recommends several mitigation strategies:

  1. Command Utilization: Use the command set fgfm-deny-unknown enable to prevent devices with unknown serial numbers from registering with FortiManager.
  2. Custom Certificate: Create a custom certificate for SSL tunneling to authenticate FortiGate devices with FortiManager.
  3. IP Allowlisting: Create an allowed list of IP addresses for FortiGate devices permitted to connect.

Detailed instructions for these mitigations can be found in Fortinet's advisory.

Impact of the Exploit

The attacks observed have focused on stealing sensitive files from the FortiManager server, including configuration data and credentials. Fortinet has reported no evidence of malware installation or unauthorized changes to managed FortiGate devices.

However, to help security professionals identify potential breaches, Fortinet has released several Indicators of Compromise (IOCs):

  • Unregistered FortiGate devices connected to the FortiManager server under the name "localhost."
  • Specific log entries showing unauthorized API commands to add and modify device settings.
  • Several IP addresses associated with the attacks, all hosted by the cloud provider Vultr.

Customer Reactions and Fortinet's Communication

While Fortinet has emphasized its commitment to responsible disclosure, some customers have expressed frustration regarding the notification process. Reports indicate that not all customers received advance alerts, forcing them to rely on leaked information.

Fortinet has encouraged customers who believe they missed notifications to verify their contact information with Fortinet or their resellers.

No comments:

Global Espionage? Chinese Cyber Centre Accuses U.S. of Tech Firm Hacks

  U.S. Accused of Cyberattacks and Trade Secret Theft by Chinese Cybersecurity Centre A Chinese cybersecurity organization has accused the U...