Fortinet confirms critical vulnerability in Fortimanager under attack

Fortinet has confirmed a critical vulnerability in Fortimanager, which is already under attack. Updates have recently been released.

Save to Pocket listen Print view
Stylized image: A stack of burning appliances

Vulnerabilities threaten appliances.

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

3 min. read

Fortinet has released a security advisory regarding a critical vulnerability in Fortimanager. The vulnerability in question is the one that the Fortimanager updates announced earlier this week seal. They are already being attacked by cyber criminals on the Internet, warns the US cyber security authority CISA, which has included the vulnerability in the Known Exploited Vulnerabilities catalog.

Fortinet, as a registered CVE Numbering Authority (CNA), has created and published a CVE entry for the vulnerability, CVE-2024-47575, with a CVSS value of 9.8 and classified as a critical risk. "A lack of authentication in a critical function in Fortimanager [...] allows attackers to execute arbitrary code or commands via carefully crafted requests," the manufacturer describes the vulnerability.

The CERT-Bund of the BSI even classifies the vulnerability as maximum critical, with a CVSS value of 10.0. Meanwhile, the Fortinet developers have collected some information about the vulnerability in a security release. There, the company specifies that the missing authentication affects the fgfmd daemon. According to an explanation by IT security researcher Kevin Beaumont, the service is used to register FortiGate appliances in FortiManager.

He sees further errors in the implementation: By default, any device, even those with an unknown serial number, can register with FortiManager and become a managed device. A client only needs to have a valid certificate, whereby any FortiGate appliance can be used, which is not a real hurdle. After registration, a vulnerability on the FortiManager itself comes into play, which allows attackers to execute arbitrary code via the "fake" FortiGate connection. Since the FortiManager manages other FortiGate firewalls, attackers can access these, view and change configurations or take over access data. Beaumont adds that Managed Service Providers often use FortiManager and attackers can thus penetrate their customers' networks.

FortiGate provides the complete list of corrected software versions: FortiManager 7.6.1, 7.4.5, 7.2.8, 7.0.13, 6.4.15 as well as 6.2.13; for FortiManager Cloud, 7.4.5, 7.2.8 as well as 7.0.13 are available. Of course, newer firmware versions also correct the problem. Anyone using FortiManager Cloud 6.4 must migrate to one of the newer releases. The old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G and 3900E are also vulnerable if the following option is enabled:

config system global
set fmg-status enable
end

For IT managers who are not yet able to update, Fortinet also lists temporary countermeasures to mitigate the effects of the vulnerabilities. Fortinet also mentions Indicators of Compromise, which admins can use to recognize whether their devices have been attacked. In its overview, Beamont also lists IP addresses from which contact attempts on the FGFM ports 541 (IPv4) or 542 (IPv6) of FortiGate and FortiManager appliances indicate attempted attacks.

The available updates for the Fortimanager solutions were already announced on Tuesday. However, there were no details on what the new versions would correct. However, there was already growing evidence on social networks on the Internet that this was a security vulnerability that had already been attacked in the wild.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.