-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #861 from DIVD-NL/DIVD-2024-00044
Publishing case file for 2024-00044
- Loading branch information
Showing
1 changed file
with
53 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| --- | ||
| layout: case | ||
| title: "Missing authentication in Fortinet FortiManager fgfmsd" | ||
| author: Oscar Vlugt | ||
| lead: Max van der Horst | ||
| excerpt: "A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests." | ||
| researchers: | ||
| - Stan Plasmeijer | ||
| - Alwin Warringa | ||
| - Max van der Horst | ||
| - Oscar Vlugt | ||
| cves: | ||
| - CVE-2024-47575 | ||
| product: | ||
| - FortiManager | ||
| versions: | ||
| - FortiManager 7.6 lower than version 7.6.1 | ||
| - FortiManager 7.4 lower than version 7.4.5 | ||
| - FortiManager 7.2 lower than version 7.2.8 | ||
| - FortiManager 7.0 lower than version 7.0.13 | ||
| - FortiManager 6.4 lower than version 6.4.15 | ||
| - FortiManager 6.2 lower than version 6.2.13 | ||
| - FortiManager Cloud 7.4 lower than version 7.4.5 | ||
| - FortiManager Cloud 7.2 lower than version 7.2.8 | ||
| - FortiManager Cloud 7.0 lower than version 7.0.13 | ||
| - FortiManager Cloud 6.4 all versions | ||
| - Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the feature fmg-status enabled | ||
| recommendation: "Patch your version to a non-vulnerable version. Migrate to a fixed release when you are running FortiManager Cloud 6.4" | ||
| workaround: "Available for some versions. Look at the recommendations on https://www.fortiguard.com/psirt/FG-IR-24-423 for your version." | ||
| patch_status: Available | ||
| status : Open | ||
| start: 2024-10-24 | ||
| timeline: | ||
| - start: 2024-10-24 | ||
| end: | ||
| event: "DIVD starts researching the vulnerability to determine a fingerprint" | ||
| --- | ||
| ## Summary | ||
| A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. Reports have shown this vulnerability is exploited in the wild. | ||
|
|
||
| ## Recommendations | ||
| Upgrade to a non-vulnerable version according to the FortiGuard advisory FG-IR-24-423. We recommend restricting public access to your instance when you are unable to either patch or apply the workaround provided by Fortinet. We also recommend checking your FortiManager for unrecognised serial numbers and perform forensics on your instance when you do find unrecognised serial numbers. Fortinet provides recovery methods in their FortiGuard advisory. | ||
|
|
||
| ## What we are doing | ||
| DIVD is researching the vulnerability to determine a reliable fingerprint. | ||
|
|
||
| {% include timeline.html %} | ||
|
|
||
| ## More information | ||
| * {% cve CVE-2024-47575 %} | ||
| * [National Vulnerability Database for CVE-2024-47575] (https://nvd.nist.gov/vuln/detail/CVE-2024-47575) | ||
| * [FortiGuard PSIRT Advisory FG-IR-24-423] (https://www.fortiguard.com/psirt/FG-IR-24-423) | ||
| * [Mandiant Investigation] (https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575?e=48754805) |