Skip to main content

This critical vulnerability could lead to unauthenticated arbitrary code execution

Threat ID:CC-4567
Threat Severity:High
Published:24 October 2024 11:02 AM

Summary

This critical vulnerability could lead to unauthenticated arbitrary code execution

Affected platforms

The following platforms are known to be affected:

Fortinet FortiManager
  • 7.6.0
  • 7.4.0 to 7.4.4
  • 7.2.0 to 7.2.7
  • 7.0.0 to 7.0.12
  • 6.4.0 to 6.4.14
  • 6.2.0 to 6.2.12
Fortinet FortiManager Cloud
  • 7.4.1 to 7.4.4
  • 7.2.1 to 7.2.7
  • 7.0.1 to 7.0.12
  • 6.4 all versions
Fortinet FortiAnalyzerFortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer):
  • config system global
  • set fmg-status enable
  • end
and at least one interface with fgfm service enabled are also impacted

Threat details

Exploitation of CVE-2024-47575 in the wild

Fortinet state that this zero-day vulnerability has been exploited and that the identified actions of this attack in the wild have been to use a script to automate the exfiltration of various files from FortiManager, which contained the IPs, credentials, and configurations of the managed devices.


Introduction

Fortinet has released a security advisory to address a critical vulnerability in the FortiManager fgfmd daemon. 

CVE-2024-47575 is a ‘missing authentication for critical function’ vulnerability with a CVSSv3 score of 9.8. A remote unauthenticated attacker could send a specially crafted request to execute arbitrary code (ACE) or commands. 

Threat updates

  
31 Oct 2024Updated to reflect information added to the advisory

Added IoCs (4 IP addresses and 1 serial number), note to log entries, and link to 'Best Practices for Maintaining Secure Credentials'.

25 Oct 2024Correction to remediation link

The link to the advisory was incorrectly listed as FG-IR-24-029, although the link itself was correctly linked to FG-IR-24-423. It has been changed to the actual advisory name. 

Remediation advice

Affected organisations must review Fortinet PSIRT Advisory FG-IR-24-423, apply security updates, and follow Fortinet's recovery guidance, which has been listed below. 

If organisations are unable to immediately apply security updates, workarounds are outlined in the advisory FG-IR-24-423 as a temporary measure.

Remediation steps

  
Guidance

A FortiManager configuration backup file would not contain any OS or system-level file changes, as these files are not included in the archive. Therefore, taking a backup from a compromised system and then restoring it on a fresh or re-initialised one, would not carry over and re-introduce such low-level changes. When taking this approach, be aware that the data may have been tampered with. Careful review should be done to confirm configuration accuracy.

The methods below assume that the managed devices (FortiGates or other) contained in the backup have not been tampered with and that their configurations are reliable. Event log activity verification of the FortiGates should be reviewed starting from the date of the identified IoCs, to determine if there were any unauthorised access or configuration changes. Since data may have been exfiltrated from the FortiManager database, we recommend that the credentials, such as passwords and user-sensitive data, of all managed devices, be urgently changed.

For a more detailed list, see Best Practices for Maintaining Secure Credentials.

For VM installations, recovery can be facilitated by keeping a copy of the compromised FortiManager in an isolated network with no Internet connection, as well as configuring it in offline mode and closed-network mode operation (see settings below). This system can be used to compare with the new one which will be set up in parallel.

  • config system admin setting
  • set offline_mode enable
  • end
  • config fmupdate publicnetwork
  • set status disable
  • end

Guidance

Option 1 – Recommended Recovery Action

This method ensures that the FortiManager configuration was not tampered with. It will require database rebuilding or device configuration  resynchronisations at the Device and Policy Package ADOM levels.

  • Installing a fresh FortiManager VM or re-initialising a hardware model and adding/discovering the devices.
  • Installing a fresh FortiManager VM or re-initialising a hardware model, and restoring a backup taken before the IoC detection.

Guidance

Option 2 – Alternative Recovery Action

This method provides a quick recovery, where partial or no database rebuilding/resynchronisation is required. It requires that you manually verify accuracy of the currently running FortiManager configuration

  • Installing a fresh FortiManager VM or re-initialising a hardware model and restoring/copying components or configuration sections from a compromised FortiManager.
  • Installing a fresh FortiManager VM or re-initialising a hardware model, and restoring a backup from a compromised FortiManager.

Guidance

For more info on data configuration and synchronisation procedures: https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-data-configuration-and/ta-p/351748


Indicators of compromise

- Log Entries

type=event,subtype=dvm,pri=information,desc="Device,manager,generic,information,log",user="device,...",msg="Unregistered device localhost add succeeded" device="localhost" adom="FortiManager" session_id=0 operation="Add device" performed_on="localhost" changes="Unregistered device localhost add succeeded"

type=event,subtype=dvm,pri=notice,desc="Device,Manager,dvm,log,at,notice,level",user="System",userfrom="",msg="" adom="root" session_id=0 operation="Modify device" performed_on="localhost" changes="Edited device settings (SN FMG-VMTM23017412)"

Important note: The two entries above may keep being logged even on an up-to-date, patched system (such as FortiManager 7.4.5) - in which case they are not IoCs anymore, but rather indicators of a (failed) attempt to compromise the system. The fix is not meant to prevent adding unauthorised devices (which these log entries are indicative of, and which can legitimately happen in a deployment context), it is meant to prevent unauthorised devices from sending exploit commands.

- IP Addresses

45.32.41.202
104.238.141.143
158.247.199.37
45.32.63.2
80.66.196.199
104.238.141.143
158.247.199.37
195.85.114.78
172.232.167.68

- Serial Number

FMG-VMTM23017412
FMG-VMTM19008093

Files

/tmp/.tm
/var/tmp/.tm


Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-47575A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.

Last edited: 31 October 2024 2:21 pm

Back to top