Fortinet has verified reports about a vital security loophole affecting FortiManager that is presently being exploited in the real world.
Identified as CVE-2024-47575 (CVSS score: 9.8), the weakness is also referred to as FortiJump and is linked to the FortiGate to FortiManager (FGFM) protocol.
“An absence of authentication for a critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may permit a remote unauthenticated attacker to execute arbitrary code or commands via deliberately crafted requests,” the organization declared in a Wednesday advisory.
The flaw impacts versions 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. It also influences old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E that have at least one interface enabled with fgfm service and the below configuration on –
config system global set fmg-status enable end
Fortinet has additionally presented three workarounds for the flaw based on the current version of FortiManager installed –
- Versions 7.0.12 or higher, 7.2.5 or higher, 7.4.3 or higher: Prevent unidentified devices from trying to register
- Versions 7.2.0 and higher: Include local-in policies to whitelist the IP addresses of FortiGates that are permitted to connect
- Versions 7.2.2 and higher, 7.4.0 and higher, 7.6.0 and higher: Employ a unique certificate
According to runZero, a successful exploitation demands the attackers to have a valid Fortinet device certificate, although it mentioned that such certificates could be acquired from an existing Fortinet device and reused.
“The observed actions of this attack in the wild have been to automate the exfiltration of various files from the FortiManager which comprised the IPs, credentials, and configurations of the managed devices,” the company stated.
Nevertheless, it stressed that the weakness has not been exploited to deploy malware or hidden access points on compromised FortiManager systems, and there is no evidence of any altered databases or connections.
The situation has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include the flaw in its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to implement the fixes by November 13, 2024.
Fortinet also shared the following statement with The Hacker News –
Upon identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated crucial information and resources to clients. This aligns with our procedures and top practices for ethical disclosure to enable clients to bolster their security measures before an advisory is made public to all, including malicious actors. We have also released a corresponding public advisory (FG-IR-24-423) reiterating mitigation suggestions, including workarounds and patch updates. We advise clients to adhere to the advice provided to implement the workarounds and patches and to stay updated on our advisory page for further information. We are continuously collaborating with the relevant international government departments and industry threat organizations as part of our ongoing response.
Exploitation of CVE-2024-47575 Linked to UNC5820
Mandiant, which is owned by Google, has connected the widespread exploitation of FortiManager devices using CVE-2024-47575 to a new threat group it’s monitoring under the title UNC5820.
More than 50 conceivably compromised FortiManager devices spanning different sectors have been identified so far, with indications of exploitation going back to June 27, 2024.
“UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager,” analysts from Mandiant, Foti Castelan, Max Thauer, JP Glab, Gabby Roncone, Tufail Ahmed, and Jared Wilson stated.
“This data includes detailed configuration information of the managed appliances along with the users and their FortiOS256-encrypted passwords. This data could be leveraged by UNC5820 to further breach the FortiManager, progress laterally to the managed Fortinet devices, and ultimately target the corporate environment.”
The cybersecurity firm, in collaboration with Fortinet, mentioned that there was no proof that the threat actor misused the configuration data for lateral movement and additional post-exploitation. The exact origins and motives of UNC5820 remain undisclosed, citing insufficient data.
About Author
