Ransomware Doesn't Take a Holiday

Get ultimate protection this festive period with our Proof of Value (PoV), 3 month non-committal offer. Sign up today.

Urgent Security Advisory: Fortinet FortiManager Vulnerability CVE-2024-47575

Fortinet users, take note: a severe vulnerability has been detected in FortiManager, putting your networks at serious risk. A recently discovered zero-day vulnerability, CVE-2024-47575 (CVSS 9.8), is currently being exploited in active attacks, allowing remote attackers to execute arbitrary code through specially crafted requests. Fortinet has responded, workarounds are available, but the issues can be addressed by upgrading to an unaffected version. 

  

What you need to know about CVE-2024-47575 

The vulnerability (CWE-306: Missing Authentication for Critical Function) in the FortiManager fgfmd daemon can allow remote, unauthenticated attackers to gain full control of the system, potentially executing malicious code or commands. Given its high CVSS score (9.8), this vulnerability poses a critical risk to organisations relying on FortiManager to protect and manage their FortiGate deployments. 

  

Affected versions 

The following FortiManager versions are affected: 

  • FortiManager 7.6: 7.6.0 — Upgrade to 7.6.1 or above 
  • FortiManager 7.4: 7.4.0 through 7.4.4 — Upgrade to 7.4.5 or above 
  • FortiManager 7.2: 7.2.0 through 7.2.7 — Upgrade to 7.2.8 or above 
  • FortiManager 7.0: 7.0.0 through 7.0.12 — Upgrade to 7.0.13 or above 
  • FortiManager 6.4: 6.4.0 through 6.4.14 — Upgrade to 6.4.15 or above 
  • FortiManager 6.2: 6.2.0 through 6.2.12 — Upgrade to 6.2.13 or above 

 

FortiManager Cloud users are also impacted, with various versions from 6.4 to 7.4 requiring upgrades to the latest available release. 

  

e2e-assure’s Recommendations: What you should do now 

Fortinet advises upgrading to a fixed version as soon as possible. Below are the recommended mitigation steps if upgrading isn’t immediately feasible: 

  1. Prevent unknown devices from registering: For FortiManager versions 7.0.12 or above, 7.2.5 or above, and 7.4.3 or above (excluding 7.6.0), configure the system to deny unknown devices attempting to register.

    Warning: This setting will prevent any FortiGate not explicitly listed from registering, even if model devices with pre-shared keys are set up.

  2. Add local-in policies: For FortiManager versions 7.2.0 and above, add local-in policies to whitelist IP addresses of allowed FortiGate connections.
  3. Use custom certificates: For versions 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above, configure FortiManager to use a custom certificate, which mitigates this vulnerability. 

For more information, visit https://www.fortiguard.com/psirt/FG-IR-24-423 

 

How to detect signs of exploitation: 

 

Detecting signs of this vulnerability being exploited requires close monitoring of network traffic patterns and FortiManager logs. Indicators of compromise (IoCs) may include unusual or unexpected connections to the fgfmd daemon, especially from external or untrusted IP addresses.  

Look for the following signs: 

  • Unusual Login Attempts: Repeated login attempts or access from IP addresses that are not typically associated with your infrastructure. 
  • Network Traffic Anomalies: Increased or abnormal traffic on port 541, which is used for FortiManager communications. This may indicate attempts to exploit the vulnerability. 
  • Suspicious Commands Executed: Check logs for any unusual commands executed by the fgfmd daemon, particularly those that are not part of routine operations. 
  • Unauthorized Configuration Changes: Unexpected changes in system configurations could be a sign that an attacker has gained access. 

 

To detect these signs, ensure that logging is enabled for all critical functions and consider using intrusion detection and prevention systems (IDS/IPS) to flag suspicious activities. Regularly review logs and utilize network monitoring tools to identify anomalies that could indicate an exploitation attempt. 

 

Why does this matter? 

CVE-2024-47575 is being actively exploited, delays in upgrading is likely to make businesses vulnerable to malicious activity. Due to the nature of this vulnerability, once exploited threat actors can gain full control of operating systems, potentially causing significant impact to business operations due to loss of system control and the risk of a data breach.  

 

Staying secure 

e2e-assure are aware of the ongoing activity and continue to follow advice on detection as well as continuing to be vigilant on the detections we have in place. Internally we recommend organisations remain vigilant by regularly checking for updates, patching vulnerabilities as soon as fixes are released, and only taking advice from trusted sources. We recommend visiting Fortinet’s official advisory page or consult with your security provider to ensure your infrastructure is secure. 

 

How we can help? 

For e2e-assure customers, our team is here to assist with implementing mitigations and upgrades. If you have questions about this vulnerability or need assistance, please reach out to your account manager. 

For non e2e-assure customers, we recommend visiting Fortinet’s official advisory page or consulting with your security provider to ensure your infrastructure is secure. If you do not have a security provider, contact us for support.  

 

Related Posts

In the rush to integrate AI, many organisations believe they have established a secure foundation to manage its potential risks. And, according to our recent

e2e-assure appoints Head of Public Sector to enhance strategic offering and strengthen cyber capabilities for UK national infrastructure. Managed Threat Detection & Response provider, e2e-assure,