Skip to main content

Exploited Critical Vulnerability CVE-2024-47575 in Fortinet FortiManager

This critical vulnerability could lead to unauthenticated arbitrary code execution

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

This critical vulnerability could lead to unauthenticated arbitrary code execution


Threat details

Exploitation of CVE-2024-47575 in the wild

Fortinet state that this zero-day vulnerability has been exploited and that the identified actions of this attack in the wild have been to use a script to automate the exfiltration of various files from FortiManager, which contained the IPs, credentials, and configurations of the managed devices.


Introduction

Fortinet has released a security advisory to address a critical vulnerability in the FortiManager fgfmd daemon. 

CVE-2024-47575 is a ‘missing authentication for critical function’ vulnerability with a CVSSv3 score of 9.8. A remote unauthenticated attacker could send a specially crafted request to execute arbitrary code (ACE) or commands. 

Recommended compromise assessment

NHS England National CSOC highly recommends performing a compromise assessment using the indicators of compromise (IoCs) provided in Fortinet's advisory. If malicious activity is found, please contact CSOC as a matter of urgency on 0300 303 5222 or email [email protected].


Threat updates

Date Update
31 Oct 2024 Updated to reflect information added to the advisory

Added IoCs (4 IP addresses and 1 serial number), note to log entries, and link to 'Best Practices for Maintaining Secure Credentials'.

25 Oct 2024 Correction to remediation link

The link to the advisory was incorrectly listed as FG-IR-24-029, although the link itself was correctly linked to FG-IR-24-423. It has been changed to the actual advisory name. 


Remediation advice

Affected organisations must review Fortinet PSIRT Advisory FG-IR-24-423, apply security updates, and follow Fortinet's recovery guidance, which has been listed below. 

If organisations are unable to immediately apply security updates, workarounds are outlined in the advisory FG-IR-24-423 as a temporary measure.


Remediation steps

Type Step
Guidance

A FortiManager configuration backup file would not contain any OS or system-level file changes, as these files are not included in the archive. Therefore, taking a backup from a compromised system and then restoring it on a fresh or re-initialised one, would not carry over and re-introduce such low-level changes. When taking this approach, be aware that the data may have been tampered with. Careful review should be done to confirm configuration accuracy.

The methods below assume that the managed devices (FortiGates or other) contained in the backup have not been tampered with and that their configurations are reliable. Event log activity verification of the FortiGates should be reviewed starting from the date of the identified IoCs, to determine if there were any unauthorised access or configuration changes. Since data may have been exfiltrated from the FortiManager database, we recommend that the credentials, such as passwords and user-sensitive data, of all managed devices, be urgently changed.

For a more detailed list, see Best Practices for Maintaining Secure Credentials.

For VM installations, recovery can be facilitated by keeping a copy of the compromised FortiManager in an isolated network with no Internet connection, as well as configuring it in offline mode and closed-network mode operation (see settings below). This system can be used to compare with the new one which will be set up in parallel.

  • config system admin setting
  • set offline_mode enable
  • end
  • config fmupdate publicnetwork
  • set status disable
  • end

Guidance

Option 1 – Recommended Recovery Action

This method ensures that the FortiManager configuration was not tampered with. It will require database rebuilding or device configuration  resynchronisations at the Device and Policy Package ADOM levels.

  • Installing a fresh FortiManager VM or re-initialising a hardware model and adding/discovering the devices.
  • Installing a fresh FortiManager VM or re-initialising a hardware model, and restoring a backup taken before the IoC detection.

Guidance

Option 2 – Alternative Recovery Action

This method provides a quick recovery, where partial or no database rebuilding/resynchronisation is required. It requires that you manually verify accuracy of the currently running FortiManager configuration

  • Installing a fresh FortiManager VM or re-initialising a hardware model and restoring/copying components or configuration sections from a compromised FortiManager.
  • Installing a fresh FortiManager VM or re-initialising a hardware model, and restoring a backup from a compromised FortiManager.

Guidance

For more info on data configuration and synchronisation procedures: https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-data-configuration-and/ta-p/351748



Indicators of compromise

Log Entries

type=event,subtype=dvm,pri=information,desc="Device,manager,generic,information,log",user="device,...",msg="Unregistered device localhost add succeeded" device="localhost" adom="FortiManager" session_id=0 operation="Add device" performed_on="localhost" changes="Unregistered device localhost add succeeded"

type=event,subtype=dvm,pri=notice,desc="Device,Manager,dvm,log,at,notice,level",user="System",userfrom="",msg="" adom="root" session_id=0 operation="Modify device" performed_on="localhost" changes="Edited device settings (SN FMG-VMTM23017412)"

Important note: The two entries above may keep being logged even on an up-to-date, patched system (such as FortiManager 7.4.5) - in which case they are not IoCs anymore, but rather indicators of a (failed) attempt to compromise the system. The fix is not meant to prevent adding unauthorised devices (which these log entries are indicative of, and which can legitimately happen in a deployment context), it is meant to prevent unauthorised devices from sending exploit commands.

IP Addresses

45.32.41.202
104.238.141.143
158.247.199.37
45.32.63.2
80.66.196.199
104.238.141.143
158.247.199.37
195.85.114.78
172.232.167.68

Serial Number

FMG-VMTM23017412
FMG-VMTM19008093

Files

/tmp/.tm
/var/tmp/.tm


Definitive source of threat updates


Last edited: 31 October 2024 2:21 pm