Exploited Critical Vulnerability CVE-2024-47575 in Fortinet FortiManager
This critical vulnerability could lead to unauthenticated arbitrary code execution
Summary
This critical vulnerability could lead to unauthenticated arbitrary code execution
Affected platforms
The following platforms are known to be affected:
Threat details
Exploitation of CVE-2024-47575 in the wild
Fortinet state that this zero-day vulnerability has been exploited and that the identified actions of this attack in the wild have been to use a script to automate the exfiltration of various files from FortiManager, which contained the IPs, credentials, and configurations of the managed devices.
Introduction
Fortinet has released a security advisory to address a critical vulnerability in the FortiManager fgfmd daemon.
CVE-2024-47575 is a ‘missing authentication for critical function’ vulnerability with a CVSSv3 score of 9.8. A remote unauthenticated attacker could send a specially crafted request to execute arbitrary code (ACE) or commands.
Recommended compromise assessment
NHS England National CSOC highly recommends performing a compromise assessment using the indicators of compromise (IoCs) provided in Fortinet's advisory. If malicious activity is found, please contact CSOC as a matter of urgency on 0300 303 5222 or email [email protected].
Threat updates
Date | Update |
---|---|
31 Oct 2024 |
Updated to reflect information added to the advisory
Added IoCs (4 IP addresses and 1 serial number), note to log entries, and link to 'Best Practices for Maintaining Secure Credentials'. |
25 Oct 2024 |
Correction to remediation link
The link to the advisory was incorrectly listed as FG-IR-24-029, although the link itself was correctly linked to FG-IR-24-423. It has been changed to the actual advisory name. |
Remediation advice
Affected organisations must review Fortinet PSIRT Advisory FG-IR-24-423, apply security updates, and follow Fortinet's recovery guidance, which has been listed below.
If organisations are unable to immediately apply security updates, workarounds are outlined in the advisory FG-IR-24-423 as a temporary measure.
Remediation steps
Type | Step |
---|---|
Guidance |
A FortiManager configuration backup file would not contain any OS or system-level file changes, as these files are not included in the archive. Therefore, taking a backup from a compromised system and then restoring it on a fresh or re-initialised one, would not carry over and re-introduce such low-level changes. When taking this approach, be aware that the data may have been tampered with. Careful review should be done to confirm configuration accuracy. The methods below assume that the managed devices (FortiGates or other) contained in the backup have not been tampered with and that their configurations are reliable. Event log activity verification of the FortiGates should be reviewed starting from the date of the identified IoCs, to determine if there were any unauthorised access or configuration changes. Since data may have been exfiltrated from the FortiManager database, we recommend that the credentials, such as passwords and user-sensitive data, of all managed devices, be urgently changed. For a more detailed list, see Best Practices for Maintaining Secure Credentials. For VM installations, recovery can be facilitated by keeping a copy of the compromised FortiManager in an isolated network with no Internet connection, as well as configuring it in offline mode and closed-network mode operation (see settings below). This system can be used to compare with the new one which will be set up in parallel.
|
Guidance |
Option 1 – Recommended Recovery ActionThis method ensures that the FortiManager configuration was not tampered with. It will require database rebuilding or device configuration resynchronisations at the Device and Policy Package ADOM levels.
|
Guidance |
Option 2 – Alternative Recovery ActionThis method provides a quick recovery, where partial or no database rebuilding/resynchronisation is required. It requires that you manually verify accuracy of the currently running FortiManager configuration
|
Guidance |
For more info on data configuration and synchronisation procedures: https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-data-configuration-and/ta-p/351748 |
Indicators of compromise
Definitive source of threat updates
Last edited: 31 October 2024 2:21 pm