Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild.
Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol.
“A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests,” the company said in a Wednesday advisory.
The shortcoming impacts FortiManager versions 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. It also affects old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E that have at least one interface with fgfm service enabled and the below configuration on –
config system global set fmg-status enable end
Fortinet has also provided three workarounds for the flaw depending on the current version of FortiManager installed –
- FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above: Prevent unknown devices to attempt to register
- FortiManager versions 7.2.0 and above: Add local-in policies to allow-list the IP addresses of FortiGates that are allowed to connect
- FortiManager versions 7.2.2 and above, 7.4.0 and above, 7.6.0 and above: Use a custom certificate
According to runZero, a successful exploitation requires the attackers to be in possession of a valid Fortinet device certificate, although it noted that such certificates could be obtained from an existing Fortinet device and reused.
“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices,” the company said.
It, however, emphasized that the vulnerability has been not weaponized to deploy malware or backdoors on compromised FortiManager systems, nor is there any evidence of any modified databases or connections.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the defect to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by November 13, 2024.
Fortinet also shared the below statement with The Hacker News –
After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response.
CVE-2024-47575 Exploitation Linked to UNC5820
Google-owned Mandiant has attributed the mass exploitation of FortiManager appliances using CVE-2024-47575 to a new threat cluster it’s tracking under the name UNC5820.
No less than 50 potentially compromised FortiManager devices across various industries have been identified to date, with evidence of exploitation dating back to June 27, 2024.
“UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager,” Mandiant researchers Foti Castelan, Max Thauer, JP Glab, Gabby Roncone, Tufail Ahmed, and Jared Wilson said.
“This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment.”
The threat intelligence firm, which is working with Fortinet, said it found no evidence that the threat actor abused the configuration data for lateral movement and further post-exploitation. The exact origins and motivations of UNC5820 remain unclear, it added, citing lack of sufficient data.