Certified Security Operations Center GmbH

14. November 2024

Attention – Active exploitation of a zero-day vulnerability in Fortinet FortiManager

For many Fortinet FortiManager is the centerpiece of a modern, centralized network security strategy. Fortinet FortiManager makes it possible to monitor, control and manage all Fortinet security devices from firewalls and VPNs to switches and access points in a single location.

This platform is not just a pure management tool – it offers an intelligent and automated solution that allows companies to effortlessly synchronize and update their security policies across a global network.

FortiManager is particularly beneficial for companies with multiple locations or a complex network infrastructure. It allows changes and security policies to be implemented consistently and reliably – with just a few clicks. With automated updates, centralized backups and extensive logging options, FortiManager not only helps to improve network security, but also significantly reduces administrative overhead.

But even the strongest security solutions are not completely invulnerable. A critical vulnerability has recently been discovered that also affects Fortinet and has the potential to jeopardize the security of many organizations. In the following analysis, we look at the risks this vulnerability poses, how organizations should respond to it, and what steps Fortinet has already taken to ensure the security of its users.

The vulnerability:

On October 23, 2024, Fortinet published an advisory on the zero-day vulnerability (CVE-2024-47575) in FortiManager. The vulnerability is actively exploited and has been rated 9.8 (“critical”) in the Common Vulnerability Scoring System (CVSS). It allows attackers to execute arbitrary code without authentication by exploiting a vulnerability in the FGFM daemon of FortiManager. This can lead to a takeover of the administration and control of all connected devices and give attackers extensive access to sensitive networks and resources.

The vulnerability affects FortiManager in various versions:

  • FortiManager up to version 7.6.0 (FortiManager Cloud)
  • Versions 6.2.12 and lower up to and including versions 7.4.4 and 7.2.7
  • Various older FortiAnalyzer models with activated FortiManager module and FGFM service

The current FortiManager Cloud 7.6 version, on the other hand, is not affected.

Threat and impact:

Since attackers can use this vulnerability to bypass critical security mechanisms, several incidents in which unauthorized access has taken place have already been documented. Fortinet confirmed that the attackers are conducting automated attacks in which files containing IP addresses, access data and device configurations have been exfiltrated. However, so far no evidence of malware installation or hidden backdoors on compromised systems has been detected.

Several of our customers have already been targeted by such attacks, but were able to protect themselves from further damage by taking proactive measures and reacting quickly. Our team responded as soon as the vulnerability was made public and implemented a rule that alerts us as soon as attack activity related to this vulnerability is detected.

To detect possible compromise at an early stage, IT security managers should check the following indicators:

Log entries:

  • type=event, subtype=dvm, pri=information, desc=“Device,manager,generic,information,log”, user=“device,…”, msg=“Unregistered device localhost add succeeded” device=“localhost” adom=“FortiManager” session_id=0 operation=“Add device” performed_on=“localhost” changes=”Unregistered device localhost add succeeded”
  • type=event, subtype=dvm, pri=notice, desc=“Device,Manager,dvm,log,at,notice,level”, user=“System”, userfrom=“”, msg=“” adom=“root” session_id=0 operation=“Modify device” performed_on=“localhost” changes=”Edited device settings (SN FMG-VMTM23017412)”

Observed IP addresses:

  • 45.32.41[.]202
  • 104.238.141[.]143
  • 158.247.199[.]37
  • 45.32.63[.]2
  • 195.85.114[.]78
  • 107.191.63[.]169
  • 139.180.138[.]190
  • 149.28.157[.]135
  • 167.179.90[.]211
  • 216.238.98[.]214
  • 65.20.78[.]114

Additionally reported by trusted sources:

  • 80.66.196[.]199

Serial numbers:

  • FMG-VMTM2301741
  • FMG-VMTM19008093

Files:

  • /tmp/.tm
  • /var/tmp/.tm

Note:

Not all attack attempts contain these files. Nevertheless, the BSI recommends regularly checking the indicators and, if necessary, applying the recovery procedure if a compromise is detected.

Measures and recommendations for action:

  • Software updates: Companies should immediately check whether the latest secure version is installed on their Fortinet FortiManager instances. Fortinet has already released patches that fix the vulnerability.
  • Workaround for missing patches: If the update is currently not possible, administrators should temporarily close the attack path, for example by setting the “fgfm-deny-unknown” function to “enable” to restrict access to authorized devices.
  • Restricted access: Access to FortiManager should be restricted to trusted IP addresses. This can be configured via “Local-in Policies”, which only allows known IP addresses to access the FGFM service (port 541).
  • Security review and monitoring: Administrators should review log files for signs of attack activity and watch for suspicious activity. Indicators such as unusual registrations or access attempts may indicate a compromise. Reviewing IP addresses documented in previous attacks can also provide valuable clues.
  • Administrative hardening and network segmentation: It is recommended that the FortiManager instance be operated behind a firewall and that the FGFM service be isolated from untrusted networks. Further security guidelines for administration and protection of critical network interfaces can be found in the Fortinet Security Guide.

By taking these steps, organizations can significantly reduce the potential impact of an attack and strengthen their security infrastructure in the long term.

Fortinet response:

Fortinet responded quickly after the discovery of the zero-day vulnerability to ensure the security of its users as best as possible. In its advisory, the company published a detailed description of the vulnerability, including the affected products and potential risks. At the same time, a patch was developed and deployed to close the security hole. Fortinet advises all customers to update the affected systems immediately to minimize the risk of attack.

In addition, Fortinet has provided preventive measures and workarounds for customers who, for technical or operational reasons, are unable to install the patch immediately. Fortinet is actively supporting companies in implementing these measures to reduce the risk of attacks in the meantime. Fortinet is thus sending a clear signal in terms of security awareness and emphasizing the importance of a fast and coordinated approach in crisis situations.

Conclusion:

The incident involving the zero-day vulnerability in Fortinet products underscores the fact that even the most advanced security solutions are not fully secure against new threats. It clearly demonstrates how dynamic the threat environment is in today’s digital world and how important it is for organizations to be prepared for potential risks. For companies and IT teams, this means that regular updates, the rapid integration of new software and security solutions, and proactive security management are essential. The incident is an important wake-up call to continuously review and adapt your security strategies.

error: