Alert essentials:

A threat actor can execute arbitrary code in FortiManager using an API vulnerability currently exploited in the wild.

Version upgrades are available for FortiManager 7.2.8 and 7.4.5. More fixes are expected to be released in the coming days.

 

Email Team


Detailed threat description:

A critical function in Fortinet’s FortiManager “fgfmd” daemon is missing authentication.

If an unauthenticated bad actor obtains a certificate from any Fortinet device owned or compromised, the missing authentication can be used to execute arbitrary code remotely.

Attacks are reported in the wild, and this flaw, with a 9.8 CVSS score, has already been added to CISA’s Known Exploited Vulnerabilities list. Fortunately, there are no current indications that malware or backdoors are being installed via the method. However, exfiltration of files containing configurations and credentials has been observed.

Customers known to have vulnerable FortiManager versions privately received mitigation instructions from Fortinet. Since then, the bypass has been fixed in two available version upgrades. Additional version upgrades with fixes are expected to be released soon. Until then, perform the following mitigations on vulnerable devices.

UPDATE 11/21/24: Used in DeepData Campaign

Cybersecurity researchers have identified a malware campaign leveraging this vulnerability. The DeepData framework is a post-exploit tool that consists of modular malware that extracts VPN credentials from client memory, among other tricks.

Since June 2024, researchers recently caught the threat group BrazenBamboo exploiting this previous zero-day as part of the DeepData campaign.

Wide-spread attacks exfiltrate contacts, emails, audio files, configuration details, cookies, chat messages, hashed passwords, and VPN credentials.

Mitigations:

  • Utilize the set fgfm-deny-unknown enable command to prevent devices with unknown serial numbers from registering to the FortiManager.
  • Create a custom certificate when creating the SSL tunnel and authenticating FortiGate devices with FortiManager.
  • Create an allowed list of IP addresses for FortiGate devices that are allowed to connect

*Instructions on performing mitigations can be found in Fortinet’s advisory.

Workarounds:

Upgrade to a fixed version or use one of the following workarounds, depending on the version you’re running:

1) For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0), prevent unknown devices from attempting to register:

config system global
(global)# set fgfm-deny-unknown enable
(global)# end

Note: This is the only workaround recommended for use in FortiManager Cloud.

Warning: With this setting enabled, be aware that if a FortiGate’s SN is not in the device list, FortiManager will prevent it from connecting to register upon deployment, even when a model device with PSK matches.

If FAZ features are enabled on FMG, block the addition of unauthorized devices via Syslog:

conf system global
set detect-unregistered-log-device disable
end

If FortiGate Updates or Web Filtering are enabled, block the addition of unauthorized devices via FDS:

conf fmupdate fds-setting
set unreg-dev-option ignore
end

2) Alternatively, for FortiManager versions 7.2.0 and above, you may add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.

Example:
config system local-in-policy
edit 1
set action accept
set dport 541
set src
next
edit 2
set dport 541
next
end

3) For 7.2.2 and above, 7.4.0 and above, 7.6.0 and above, it is also possible to use a custom certificate which will mitigate the issue:

config system global
set fgfm-ca-cert
set fgfm-cert-exclusive enable
end

And install that certificate on FortiGates. Only this CA will be valid; this can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel.

NB: For FortiManager versions 6.2, 6.4, and 7.0.11 and below, please upgrade to one of the versions above and apply the above workarounds.


Impacts on healthcare organizations:

Whenever healthcare systems are attacked, care delivery is delayed, inevitably putting patient safety at risk.


Affected products / versions:

FortiManager versions impacted are:


*FortiManager Cloud 7.6 is not affected

Also impacted are older Analyzer models with specific features enabled on FortiManager or FortiAnalyzer

Models: 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E

With the following feature set:
Config system global
Set fmg-status enable
end

At least one interface with fgfm service has been reported to be impacted by this vulnerability.

CVEs
CVE-2024-47575

IOCs

Log entries
type=event,subtype=dvm,pri=information,desc=”Device,manager,generic,information,log”,user=”device,…”,msg=”Unregistered device localhost add succeeded” device=”localhost” adom=”FortiManager” session_id=0 operation=”Add device” performed_on=”localhost” changes=”Unregistered device localhost add succeeded”

type=event,subtype=dvm,pri=notice,desc=”Device,Manager,dvm,log,at,notice,level”,user=”System”,userfrom=””,msg=”” adom=”root” session_id=0 operation=”Modify device” performed_on=”localhost” changes=”Edited device settings (SN FMG-VMTM23017412)”

UPDATE:

Important note: The two entries above may keep being logged even on an up-to-date, patched system (e.g., FMG 7.4.5) – in which case they are not Indicators of Compromise anymore but indicators of a (failed) attempt to compromise the system. Indeed, the fix is not meant to prevent adding unauthorized devices (which these log entries are indicative of and can legitimately happen in a deployment context); it is meant to prevent unauthorized devices from sending exploit commands.

IP addresses
45.32.41.202
104.238.141.143
158.247.199.37
45.32.63.2
80.66.196.199
104.238.141.143
158.247.199.37
195.85.114.78
172.232.167.68

Serial Number
Rogue devices are using the serial number FMG-VMTM23017412
FMG-VMTM19008093

Creation of Files
/tmp/.tm
/var/tmp/.tm

*Note that file IoCs may not appear in all cases.

The manufacturer-supplied recovery methods for compromised devices are available at psirt link below.


Recommendations

Engineering recommendations:

  • Upgrade vulnerable versions as soon as a fix is available
  • Perform mitigations for protection on vulnerable versions that do not have a fix currently

Leadership/ Program recommendations:

  • Look for private notifications from Fortinet regarding the use of vulnerable Fortinet solutions
  • If your organization has a vulnerable FortiManager and a notice was not received, reach out to your Fortinet contact to be included in future notices

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: