From b09052fa8752ccf42114031c513ccf383e08f8ea Mon Sep 17 00:00:00 2001 From: KoenS Date: Mon, 16 Dec 2024 21:36:09 +0100 Subject: [PATCH 1/2] Update DIVD-2024-00044.md Update ## What we are doing --- _cases/2024/DIVD-2024-00044.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_cases/2024/DIVD-2024-00044.md b/_cases/2024/DIVD-2024-00044.md index a9b0d3a7..4f43291a 100644 --- a/_cases/2024/DIVD-2024-00044.md +++ b/_cases/2024/DIVD-2024-00044.md @@ -49,7 +49,7 @@ A missing authentication for critical function vulnerability [CWE-306] in FortiM Upgrade to a non-vulnerable version according to the FortiGuard advisory FG-IR-24-423. We recommend restricting public access to your instance when you are unable to either patch or apply the workaround provided by Fortinet. We also recommend checking your FortiManager for unrecognised serial numbers and perform forensics on your instance when you do find unrecognised serial numbers. Fortinet provides recovery methods in their FortiGuard advisory. ## What we are doing -DIVD is researching the vulnerability to determine a reliable fingerprint. +DIVD is currently working to identify parties that are running a vulnerable version of FortiManager and notify these parties. {% include timeline.html %} From f50585a19d0ed05900f68a86f14df5d08f5795a5 Mon Sep 17 00:00:00 2001 From: KoenS Date: Mon, 16 Dec 2024 22:30:04 +0100 Subject: [PATCH 2/2] Update DIVD-2024-00044.md Added ## Vulnerability detection --- _cases/2024/DIVD-2024-00044.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/_cases/2024/DIVD-2024-00044.md b/_cases/2024/DIVD-2024-00044.md index 4f43291a..acd0d136 100644 --- a/_cases/2024/DIVD-2024-00044.md +++ b/_cases/2024/DIVD-2024-00044.md @@ -45,6 +45,9 @@ timeline: ## Summary A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. Reports have shown this vulnerability is exploited in the wild. +## Vulnerability detection +In our fingerprint we check for open 541 ports from the internet that run the Fortimanger software and using default fortinet client-certificates to build up a secure connection to the device. After the connection is established, we trigger a specially function that allow us to check if this FortiManager software version is vulnerabile to give full shell access without authentication what can result in execution of arbitrary code or Remote code executions (RCE). + ## Recommendations Upgrade to a non-vulnerable version according to the FortiGuard advisory FG-IR-24-423. We recommend restricting public access to your instance when you are unable to either patch or apply the workaround provided by Fortinet. We also recommend checking your FortiManager for unrecognised serial numbers and perform forensics on your instance when you do find unrecognised serial numbers. Fortinet provides recovery methods in their FortiGuard advisory.