{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-113.pdf"
    },
    "title": "Critical 0-day Vulnerability in Fortinet FortiManager",
    "serial_number": "2024-113",
    "publish_date": "24-10-2024 08:56:10",
    "description": "On October 23, 2024, Fortinet released a security advisory addressing a critical 0-day vulnerability in its FortiManager product. If exploited, a remote unauthenticated attacker could execute arbitrary code or commands on the affected device.<br>\nIt is strongly recommended applying the update. When not possible, it is recommended applying the workaround. In all cases, it is recommended searching for potential compromise.<br>\n",
    "url_title": "2024-113",
    "content_markdown": "---    \ntitle: 'Critical 0-day Vulnerability in\u00a0Fortinet\u00a0FortiManager'\nnumber: '2024-113'\nversion: '1.1'\noriginal_date: '2024-10-23'\ndate: '2024-10-24'\n---\n\n_History:_\n\n* _23/10/2024 --- v1.0 -- Initial publication_\n* _24/10/2024 --- v1.1 -- Fix incorrect CVE identifier_\n\n# Summary\n\nOn October 23, 2024, Fortinet released a security advisory addressing a critical 0-day vulnerability in its FortiManager product. If exploited, a remote unauthenticated attacker could execute arbitrary code or commands on the affected device [1].\n\nIt is strongly recommended applying the update. When not possible, it is recommended applying the workaround. In all cases, it is recommended searching for potential compromise.\n\n# Technical Details\n\n\nThe vulnerability **CVE-2024-47575**, with a CVSS score of 9.8, affects FortiManager fgfmd daemon, and is due to a missing authentication for critical function. A remote unauthenticated attacker could execute arbitrary code or commands via specially crafted requests.\n\n# Affected Products\n\nThe following product versions are affected:\n\n- FortiManager 7.6 versions before 7.6.1;\n- FortiManager 7.4 versions before 7.4.5;\n- FortiManager 7.2 versions before 7.2.8;\n- FortiManager 7.0 versions before 7.0.13;\n- FortiManager 6.4 versions before 6.4.15;\n- FortiManager 6.2 versions before 6.2.13;\n- FortiManager Cloud 7.4 versions before 7.4.5;\n- FortiManager Cloud 7.2 all versions;\n- FortiManager Cloud 7.0 all versions;\n- FortiManager Cloud 6.4 all versions;\n\n# Recommendations\n\nIt is strongly recommended updating affected devices as soon as possible, prioritising Internet facing assets. When not possible, it is strongly recommended applying the workaround.\n\nIt is also strongly encouraged looking for potential compromise.\n\n## Workaround\n\n1. For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0), prevent unknown devices from attempting to register:\n\n```\nconfig system global\n(global)# set fgfm-deny-unknown enable\n(global)# end\n```\n\n_Warning: With this setting enabled, be aware that if a FortiGate's SN is not in the device list, FortiManager will prevent it from connecting to register upon being deployed, even when a model device with PSK is matching._\n\n2. For FortiManager versions 7.2.0 and above, one may add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.\n\n\nExample:\n\n```\nconfig system local-in-policy\nedit 1\nset action accept\nset dport 541\nset src\nnext\nedit 2\nset dport 541\nnext\nend\n```\n\n3. For 7.2.2 and above, 7.4.0 and above, 7.6.0 and above it is also possible to use a custom certificate which will mitigate the issue:\n\n```\nconfig system global\nset fgfm-ca-cert\nset fgfm-cert-exclusive enable\n\n\nend\n```\n\nAnd install that certificate on FortiGates. Only this CA will be valid, this can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel.\n\n_NB: For FortiManager versions 6.2, 6.4, and 7.0.11 and below, upgrade to one of the versions above and apply the above workarounds._\n\n## IoC Detections\n\nThe following indicators of compromise could be used to identify potential compromise. Note that file IoCs may not appear in all cases.\n\n### Logs\n\n```\ntype=event,subtype=dvm,pri=information,desc=\"Device,manager,generic,information,log\",user=\"device,...\",msg=\"Unregistered device localhost add succeeded\" device=\"localhost\" adom=\"FortiManager\" session_id=0 operation=\"Add device\" performed_on=\"localhost\" changes=\"Unregistered device localhost add succeeded\"\n\n\ntype=event,subtype=dvm,pri=notice,desc=\"Device,Manager,dvm,log,at,notice,level\",user=\"System\",userfrom=\"\",msg=\"\" adom=\"root\" session_id=0 operation=\"Modify device\" performed_on=\"localhost\" changes=\"Edited device settings (SN FMG-VMTM23017412)\"\n```\n\n### IP addresses\n\n```\n45.32.41.202\n104.238.141.143\n158.247.199.37\n45.32.63.2\n```\n\n### Serial Number\n\n`FMG-VMTM23017412`\n\n### Files\n\n```\n/tmp/.tm\n/var/tmp/.tm\n```\n\n# References\n\n[1] <https://www.fortiguard.com/psirt/FG-IR-24-423>",
    "content_html": "<p><em>History:</em></p><ul><li><em>23/10/2024 --- v1.0 -- Initial publication</em></li><li><em>24/10/2024 --- v1.1 -- Fix incorrect CVE identifier</em></li></ul><h2 id=\"summary\">Summary</h2><p>On October 23, 2024, Fortinet released a security advisory addressing a critical 0-day vulnerability in its FortiManager product. If exploited, a remote unauthenticated attacker could execute arbitrary code or commands on the affected device [1].</p><p>It is strongly recommended applying the update. When not possible, it is recommended applying the workaround. In all cases, it is recommended searching for potential compromise.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2024-47575</strong>, with a CVSS score of 9.8, affects FortiManager fgfmd daemon, and is due to a missing authentication for critical function. A remote unauthenticated attacker could execute arbitrary code or commands via specially crafted requests.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following product versions are affected:</p><ul><li>FortiManager 7.6 versions before 7.6.1;</li><li>FortiManager 7.4 versions before 7.4.5;</li><li>FortiManager 7.2 versions before 7.2.8;</li><li>FortiManager 7.0 versions before 7.0.13;</li><li>FortiManager 6.4 versions before 6.4.15;</li><li>FortiManager 6.2 versions before 6.2.13;</li><li>FortiManager Cloud 7.4 versions before 7.4.5;</li><li>FortiManager Cloud 7.2 all versions;</li><li>FortiManager Cloud 7.0 all versions;</li><li>FortiManager Cloud 6.4 all versions;</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is strongly recommended updating affected devices as soon as possible, prioritising Internet facing assets. When not possible, it is strongly recommended applying the workaround.</p><p>It is also strongly encouraged looking for potential compromise.</p><h3 id=\"workaround\">Workaround</h3><ol><li>For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0), prevent unknown devices from attempting to register:</li></ol><pre><code>config system global\n(global)# set fgfm-deny-unknown enable\n(global)# end\n</code></pre><p><em>Warning: With this setting enabled, be aware that if a FortiGate's SN is not in the device list, FortiManager will prevent it from connecting to register upon being deployed, even when a model device with PSK is matching.</em></p><ol start=\"2\"><li>For FortiManager versions 7.2.0 and above, one may add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.</li></ol><p>Example:</p><pre><code>config system local-in-policy\nedit 1\nset action accept\nset dport 541\nset src\nnext\nedit 2\nset dport 541\nnext\nend\n</code></pre><ol start=\"3\"><li>For 7.2.2 and above, 7.4.0 and above, 7.6.0 and above it is also possible to use a custom certificate which will mitigate the issue:</li></ol><pre><code>config system global\nset fgfm-ca-cert\nset fgfm-cert-exclusive enable\n\n\nend\n</code></pre><p>And install that certificate on FortiGates. Only this CA will be valid, this can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel.</p><p><em>NB: For FortiManager versions 6.2, 6.4, and 7.0.11 and below, upgrade to one of the versions above and apply the above workarounds.</em></p><h3 id=\"ioc-detections\">IoC Detections</h3><p>The following indicators of compromise could be used to identify potential compromise. Note that file IoCs may not appear in all cases.</p><h4 id=\"logs\">Logs</h4><pre><code>type=event,subtype=dvm,pri=information,desc=\"Device,manager,generic,information,log\",user=\"device,...\",msg=\"Unregistered device localhost add succeeded\" device=\"localhost\" adom=\"FortiManager\" session_id=0 operation=\"Add device\" performed_on=\"localhost\" changes=\"Unregistered device localhost add succeeded\"\n\n\ntype=event,subtype=dvm,pri=notice,desc=\"Device,Manager,dvm,log,at,notice,level\",user=\"System\",userfrom=\"\",msg=\"\" adom=\"root\" session_id=0 operation=\"Modify device\" performed_on=\"localhost\" changes=\"Edited device settings (SN FMG-VMTM23017412)\"\n</code></pre><h4 id=\"ip-addresses\">IP addresses</h4><pre><code>45.32.41.202\n104.238.141.143\n158.247.199.37\n45.32.63.2\n</code></pre><h4 id=\"serial-number\">Serial Number</h4><p><code>FMG-VMTM23017412</code></p><h4 id=\"files\">Files</h4><pre><code>/tmp/.tm\n/var/tmp/.tm\n</code></pre><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-24-423\">https://www.fortiguard.com/psirt/FG-IR-24-423</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}