NC4-ALR-2024-000011 : Critical Vulnerability of Missing Authentication for Critical Function in Fortinet FortiManager
Introduction

The National Cyber Coordination and Command Centre (NC4) has been alerted to a critical missing authentication for critical function vulnerability in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. Tracked as CVE-2024-47575, this vulnerability has been seen actively exploited in the wild.  The vulnerability has been classified as a critical threat with a CVSS score of 9.8, necessitating immediate attention and action. NC4 would like to remind System Administrators and Network Administrators to immediately implement adequate cyber security measures to ensure the systems and networks are secured at all times.

Impact

Successful exploitation enables attackers to run unauthorised commands or code, leading to potential full system compromise.

Brief Description

A critical vulnerability exists in the fgfmsd daemon of FortiManager, which allow a remote unauthenticated attacker to exploit this flaw by sending crafted requests, allowing arbitrary code or command execution. Given its severity, this vulnerability has been seen actively exploited in the wild. Organisations should prioritise patching affected systems and revisiting their network security strategies, ensuring that defensive measures are in place to limit access. Security teams are advised to assess any potential exposure due to this vulnerability and develop immediate response plans in collaboration with stakeholders to minimise business disruption.

In addition, crosscheck the following Indicator of Compromise (IoC) observed by Fortinet & Mandiant in your environment to assess the current status of your Fortinet appliance: 

  • 45.32.41.202
  • 104.238.141.143
  • 158.247.199.37
  • 45.32.63.2
  • 195.85.114.78

Affected Product

FortiManager Versions:

  • 7.6.0
  • 7.4.0 - 7.4.4
  • 7.2.0 - 7.2.7
  • 7.0.0 - 7.0.12
  • 6.4.0 - 6.4.14
  • 6.2.0 – 6.2.12

FortiManager Cloud versions

  • 7.4.1 - 7.4.4
  • 7.2.1 - 7.2.7
  • 7.0.1 - 7.0.12
  • 6.4 all versions

Recommendation

Organisations are advised to take the following actions immediately:

  1. Patch Deployment: Ensure that all vulnerable FortiManager instances are updated with the latest security patches.
  2. Access Controls: Strengthen authentication mechanisms and restrict access to FortiManager through segmentation and whitelisting.
  3. Monitoring and Response: Implement continuous monitoring for suspicious activities linked to the vulnerability and prepare incident response teams for possible exploitation attempts.

References

   https://www.fortiguard.com/psirt/FG-IR-24-423

   https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575

Alert