Critical zero-day vulnerability in FortiManager is actively exploited – CVE-2024-47575
A missing authentication for critical function vulnerability tracked as CVE-2024-47575 in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. Reports have shown this vulnerability to be exploited in the wild. The company privately warned FortiManager customers about the flaw starting October 13th in advanced notification emails seen by BleepingComputer that contained steps to mitigate the flaw until a security update was released.
Threat actors could exploit the flaw by utilizing attacker-controlled FortiManager and FortiGate devices with valid certificates to register themselves to any exposed FortiManager server. Once their device was connected, even if it was in an unauthorized state, they could execute API commands on the FortiManager and steal configuration data about managed devices.
Fortinet has released patches for the CVE-2024-47575 and offered mitigations, such as only allowing specific IP addresses to connect or preventing unknown FortiGate devices from registering.
Impacted Products:
FortiManager:
Version 7.6.0
Versions 7.4.0 to 7.4.4
Versions 7.2.0 to 7.2.7
Versions 7.0.0 to 7.0.12
Versions 6.4.0 to 6.4.14
Versions 6.2.0 to 6.2.12
FortiManager Cloud:
Versions 7.4.1 to 7.4.4
Versions 7.2.1 to 7.2.7
Versions 7.0.1 to 7.0.12
Version 6.4 (all versions)
Not impacted:
FortiManager Cloud 7.6
Upgrade to fixed versions:
| Version | Affected | Solution |
|---|---|---|
| FortiManager 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiManager 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.7 | Upgrade to 7.2.8 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.12 | Upgrade to 7.0.13 or above |
| FortiManager 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
| FortiManager 6.2 | 6.2.0 through 6.2.12 | Upgrade to 6.2.13 or above |
| FortiManager Cloud 7.6 | Not affected | Not Applicable |
| FortiManager Cloud 7.4 | 7.4.1 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiManager Cloud 7.2 | 7.2.1 through 7.2.7 | Upgrade to 7.2.8 or above |
| FortiManager Cloud 7.0 | 7.0.1 through 7.0.12 | Upgrade to 7.0.13 or above |
| FortiManager Cloud 6.4 | 6.4 all versions | Migrate to a fixed release |
Workarounds:
config system global
(global)# set fgfm-deny-unknown enable
(global)# end
Indicators of Compromise:
Log entries:
type=event,subtype=dvm,pri=information,desc=”Device,manager,generic,information,log”,user=”device,…”,msg=”Unregistered device localhost add succeeded” device=”localhost” adom=”FortiManager” session_id=0 operation=”Add device” performed_on=”localhost” changes=”Unregistered device localhost add succeeded”
type=event,subtype=dvm,pri=notice,desc=”Device,Manager,dvm,log,at,notice,level”,user=”System”,userfrom=””,msg=”” adom=”root” session_id=0 operation=”Modify device” performed_on=”localhost” changes=”Edited device settings (SN FMG-VMTM23017412)”
IP addresses:
45.32.41.202
104.238.141.143
158.247.199.37
45.32.63.2
195.85.114.78 (Not observed by Fortinet, reported by Mandiant here)
Serial Number:
FMG-VMTM23017412
Files:
/tmp/.tm
/var/tmp/.tm
Sources:
Fortinet FortiGuard Labs
Mandiant
CERT.at
