October 24, 2024Ravie Lakshmanan Vulnerability / Network Security
Fortinet has confirmed details of a critical security flaw affecting FortiManager that is being exploited in the wild.
The vulnerability, tracked as CVE-2024-47575 (CVSS score: 9.8), is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol.
“Lack of authentication for critical functionality vulnerability (CWE-306) in FortiManager’s fgfmd daemon allows an unauthenticated, remote attacker to execute arbitrary code or commands via a specially crafted request. may be implemented,” the company said in an advisory on Wednesday.
This shortcoming affects FortiManager versions 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. Additionally, older FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E.
config system global set fmg-status enable end
Fortinet also provides two workarounds for this flaw depending on the current version of FortiManager installed.
FortiManager versions 7.0.12 and later, 7.2.5 and later, 7.4.3 and later: Prevent unknown devices from attempting to register FortiManager versions 7.2.0 and later: Add local-in policy to allow list IP addresses of FortiGates Add to. Connections to FortiManager versions 7.2.2 and later, 7.4.0 and later, 7.6.0 and later are allowed: use custom certificates
According to runZero, a successful exploit would require the attacker to have a valid Fortinet device certificate, but such a certificate could potentially be obtained and reused from an existing Fortinet device. states that there is.
“The actions identified in this actual attack were automation via a script that extracted various files from FortiManager containing managed device IPs, credentials, and configurations,” the company said.
However, it emphasized that the vulnerability was not exploited to deploy malware or backdoors on compromised FortiManager systems, and there was no evidence that the database or connections were modified.
Following this development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) Catalog and requires federal agencies to fix it by November 13, 2024. asked to apply.
Fortinet also shared the following statement with Hacker News –
After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to help customers strengthen their security posture before advisories are published to a broader audience, including threat actors. We have also published a corresponding public advisory (FG-IR-24-423) that reiterates mitigation guidance, including workarounds and patch updates. We encourage customers to follow the guidance provided to implement workarounds and fixes and continue to track updates on the advisory page. We continue to engage with appropriate international government agencies and industry threat organizations as part of our ongoing response.
Did you find this article interesting? Follow us Twitter ○ You can read more exclusive content from us on LinkedIn.
Source link
