FortiManager: Unauthenticated Remote Access Vulnerability - CVE-2024-47575

What Happened

On October 23, 2024, FortiGuard Labs released a PSIRT advisory detailing a critical vulnerability in FortiManager fgfmd daemon which “may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.” This vulnerability has been recorded by NVD and assigned the CVE-ID CVE-2024-47575 and carries with it a critical severity CVSSv3 score of 9.8.

This vulnerability has been unofficially named “FortiJump” by researcher Kevin Beaumont, who was among the first to raise concerns that a potentially high risk vulnerability was on the horizon. Ten days after Beaumont’s initial post on the social media platform, Mastodon, FortiGuard Labs released their own official statement and not only confirmed the existence of this vulnerability, but also revealed they had evidence that it is actively being exploited in the wild.

This vulnerability is the result of an insecure implementation of how managed devices are registered with FortiManager. By default, any device is allowed to register with FortiManager as a managed device. Malicious actors can use this to register their own rogue device and exploit FortiManager to access managed FortiGate firewalls and exfiltrate or make changes to configuration files, credentials, or other sensitive data.

What That Means

Administrators who manage FortiManager services should patch as soon as possible. The exploitation seems relatively trivial but the potential impact is extreme, considering this vulnerability provides access to devices used to protect and secure networks. Failure to patch quickly could result in threat actors gaining access to company networks and configuring services or accounts for backdoor access and persistence. Exfiltrated configuration files, users, and passwords can be saved by threat actors for future reconnaissance and attacks.

While no proof of concept code has been released as of the writing of this article (October 24, 2024), active exploitation has been seen in the wild.

Who’s Impacted

The following table and notes have been directly lifted from the FortiGuard PSIRT

Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer):

config system global

set fmg-status enable

end

and at least one interface with fgfm service enabled is also impacted by this vulnerability.

How Would I Know and What Should I Do

Blumira has released a new detection to all of our FortiNet customers. Titled, “FortiGate: FortiManager CVE-2024-47575 Missing authentication in fgfmsd”, this detection monitors for initial steps taken by a threat actor to register their rogue device with FortiManager. If you are already shipping your FortiNet device logs to Blumira, this rule will automatically be deployed and enabled for you. We have also retroactively scanned the last 30 days of customer FortiNet logs to verify no compromise has occurred before we were able to develop and release the detection (should we identify any suspicious behavior, our Security Operations team will reach out).

Several indicators of compromise (IOC) have been released by the FortiGuard Labs team:

Log entries:

type=event,subtype=dvm,pri=information,desc="Device,manager,generic,information,log",user="device,...",msg="Unregistered device localhost add succeeded" device="localhost" adom="FortiManager" session_id=0 operation="Add device" performed_on="localhost" changes="Unregistered device localhost add succeeded"

type=event,subtype=dvm,pri=notice,desc="Device,Manager,dvm,log,at,notice,level",user="System",userfrom="",msg="" adom="root" session_id=0 operation="Modify device" performed_on="localhost" changes="Edited device settings (SN FMG-VMTM23017412)"

IP addresses

45.32.41.202

104.238.141.143

158.247.199.37

45.32.63.2

Serial Number

FMG-VMTM23017412

Files

/tmp/.tm

/var/tmp/.tm

Workarounds

Additionally, the FortiGaurd Labs team has advised on several workarounds if a patch cannot be applied immediately - note that for older versions (6.2, 6.4, and 7.0.11 and below), it is advised to apply the patch and workarounds: 

config system global

(global)# set fgfm-deny-unknown enable

(global)# end

Warning: With this setting enabled, be aware that if a FortiGate's SN is not in the device list, FortiManager will prevent it from connecting to register upon being deployed, even when a model device with PSK is matching.

Example:

config system local-in-policy

edit 1

set action accept

set dport 541

set src

Next

edit 2

set dport 541

Next

end

config system global

set fgfm-ca-cert

set fgfm-cert-exclusive enable

end

And install that certificate on FortiGates. Only this CA will be valid, this can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel.

For FortiManager versions 6.2, 6.4, and 7.0.11 and below, please upgrade to one of the versions above and apply the above workarounds.

When Will it be Fixed?

Patches are available and have been released by FortiNet. Please refer to the table above to see if you are affected.

How Blumira Can Help

Blumira continues to actively monitor this issue, and look for any additional ways that we can detect any stage of exploitation of these vulnerabilities.

If you are an MSP and not already using Blumira, please submit a request for a “free for internal use” NFR account.

The Blumira Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.