Executive Summary
In the rapidly evolving landscape of cybersecurity, a critical zero-day vulnerability has emerged, affecting Fortinet's FortiManager software. This vulnerability, which allows remote code execution (RCE), has been actively exploited, posing significant risks to organizations worldwide. Despite the severity of the issue, Fortinet has yet to release a public advisory or assign a CVE designation, leaving many organizations exposed to potential threats. This report delves into the technical intricacies of the vulnerability, its exploitation in the wild, and offers guidance on mitigation strategies to safeguard your infrastructure.
Update: It has now been assigned CVE-2024-47575, with a CVSS v3.1 Base Score of 9.8, reflecting its high impact on network security. This report delves into the technical intricacies of the vulnerability, its exploitation in the wild, and offers guidance on mitigation strategies to safeguard your infrastructure.
Technical Information
The vulnerability in question impacts Fortinet's FortiManager, a centralized management platform for Fortinet's security devices. The affected versions include 7.6.0 and below, 7.4.4 and below, 7.2.7 and below, 7.0.12 and below, and 6.4.14 and below. The vulnerability arises from a default configuration setting that permits devices with unknown or unauthorized serial numbers to register themselves into an organization's FortiManager dashboard. This flaw can be exploited by attackers to gain unauthorized access and execute remote code, thereby compromising the security of the entire network.
The exploitation process involves attackers stealing digital certificates from FortiGate devices, which are then used to register rogue devices into FortiManager. Once registered, these rogue devices can execute remote code, allowing attackers to manage legitimate downstream FortiGate firewalls, view configuration files, and alter settings. This level of access can lead to severe security breaches, data theft, and potential disruption of services.
Update: The vulnerability allows attackers to send specially crafted requests to the affected systems, exploiting the lack of authentication for critical functions. With a CVSS score of 9.8, this vulnerability poses a high risk of unauthorized access, data exfiltration, and network disruption.
Exploitation in the Wild
Reports indicate that this vulnerability has been actively exploited in the wild. Attackers have been observed using stolen certificates to register rogue FortiGate devices into FortiManager. Indicators of Compromise (IOCs) include unauthorized registration of devices with hostnames like 'localhost' and unusual network traffic on port 541, which is used by the FGFM protocol. These activities suggest that attackers are leveraging the vulnerability to infiltrate networks and execute malicious activities.
Update: Attackers have been observed using automated scripts to exfiltrate files containing IPs, credentials, and configurations of managed devices. IoCs now include specific IP addresses linked to the attacks, such as 45.32.41.202, 104.238.141.143, 158.247.199.37, and 45.32.63.2, as well as the serial number FMG-VMTM23017412 and suspicious files located at /tmp/.tm/var/tmp/.tm.
APT Groups using this vulnerability
Independent researcher Kevin Beaumont has attributed the exploitation of this vulnerability to China-state hackers. These advanced persistent threat (APT) groups have reportedly been using the vulnerability to infiltrate internal networks since earlier in the year. The targeting of specific sectors and countries by these APT groups underscores the critical nature of this vulnerability and the need for immediate action to mitigate potential risks.
Update: Although no specific APT groups have been officially named as exploiting CVE-2024-47575, the critical nature of this vulnerability makes it an attractive target for advanced cyber espionage groups.
Affected Product Versions
The affected versions of FortiManager include 7.6.0 and below, 7.4.4 and below, 7.2.7 and below, 7.0.12 and below, and 6.4.14 and below. Organizations using these versions are at risk and should prioritize upgrading to the patched versions, which are 7.6.1 and above, 7.4.5 and above, 7.2.8 and above, 7.0.13 and above, and 6.4.15 and above.
Workaround and Mitigation
To mitigate the risks associated with this vulnerability, organizations should upgrade to the latest patched versions of FortiManager as listed above. Additionally, it is crucial to restrict FortiManager access to specific internal networks and avoid exposing it to the internet. Implementing strict certificate management practices can also prevent unauthorized use and registration of rogue devices. Regular monitoring for IOCs and unusual network activities can help in early detection and response to potential exploitation attempts.
Update: For CVE-2024-47575, Fortinet has released updated fixed versions for FortiManager and FortiManager Cloud. Organizations should upgrade to the following versions:
FortiManager: 7.6.1 and above, 7.4.5 and above, 7.2.8 and above, 7.0.13 and above, and 6.4.15 and above
FortiManager Cloud: 7.4.5 and above, 7.2.8 and above, 7.0.13 and above, and 6.4.8 and above
References
For further reading and detailed analysis, refer to the original report by Dan Goodin on Ars Technica: Fortinet stays mum on critical 0-day reportedly under active exploitation (https://arstechnica.com/security/2024/10/fortinet-stays-mum-on-critical-0-day-reportedly-under-active-exploitation/). Additional insights can be found in Kevin Beaumont's analysis on Mastodon and his subsequent blog post.
Rescana is here for you
At Rescana, we understand the complexities and challenges posed by emerging cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help organizations proactively manage and mitigate risks. We are committed to providing our customers with the tools and insights needed to protect their infrastructure and data. Should you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com. We are here to assist you in navigating the ever-changing cybersecurity landscape.
Comments