DIVD-2024-00044 - Missing authentication in Fortinet FortiManager fgfmsd

Our reference DIVD-2024-00044
Case lead Max van der Horst
Author Oscar Vlugt
Researcher(s)
CVE(s)
Products
  • FortiManager
Versions
  • FortiManager 7.6 lower than version 7.6.1
  • FortiManager 7.4 lower than version 7.4.5
  • FortiManager 7.2 lower than version 7.2.8
  • FortiManager 7.0 lower than version 7.0.13
  • FortiManager 6.4 lower than version 6.4.15
  • FortiManager 6.2 lower than version 6.2.13
  • FortiManager Cloud 7.4 lower than version 7.4.5
  • FortiManager Cloud 7.2 lower than version 7.2.8
  • FortiManager Cloud 7.0 lower than version 7.0.13
  • FortiManager Cloud 6.4 all versions
  • Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the feature fmg-status enabled
Recommendation Patch your version to a non-vulnerable version. Migrate to a fixed release when you are running FortiManager Cloud 6.4
Patch status Available
Workaround Available for some versions. Look at the recommendations on https://www.fortiguard.com/psirt/FG-IR-24-423 for your version.
Status Open
Last modified 16 Dec 2024 22:30 CET

Summary

A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. Reports have shown this vulnerability is exploited in the wild.

Vulnerability detection

In our fingerprint we check for open 541 ports from the internet that run the Fortimanger software and using default fortinet client-certificates to build up a secure connection to the device. After the connection is established, we trigger a specially function that allow us to check if this FortiManager software version is vulnerabile to give full shell access without authentication what can result in execution of arbitrary code or Remote code executions (RCE).

Recommendations

Upgrade to a non-vulnerable version according to the FortiGuard advisory FG-IR-24-423. We recommend restricting public access to your instance when you are unable to either patch or apply the workaround provided by Fortinet. We also recommend checking your FortiManager for unrecognised serial numbers and perform forensics on your instance when you do find unrecognised serial numbers. Fortinet provides recovery methods in their FortiGuard advisory.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of FortiManager and notify these parties.

Timeline

Date Description
24 Oct 2024 DIVD starts researching the vulnerability to determine a fingerprint
28 Nov 2024 DIVD finds fingerprint, preparing to scan.
28 Nov 2024 DIVD starts scanning the internet for vulnerable instances.
gantt title DIVD-2024-00044 - Missing authentication in Fortinet FortiManager fgfmsd dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00044 - Missing authentication in Fortinet FortiManager fgfmsd (still open) :2024-10-24, 2024-12-24 section Events DIVD starts researching the vulnerability to determine a fingerprint : milestone, 2024-10-24, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-11-28, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-11-28, 0d

More information