External risk intelligence

FortiManager: Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2024-47575

Certain FortiManager and FortiManager Cloud versions have a missing authentication vulnerability, allowing attackers to execute arbitrary code. This impacts system integrity and could lead to data compromise.

4Halo Surface Signal

Missing Authentication

Fortinet Fortimanager

6.2.0 to before 6.2.136.4.0 to before 6.4.157.0.0 to before 7.0.137.2.0 to before 7.2.87.4.0 to before 7.4.57.6.06.4.1 to 6.4.77.0.1 to before 7.0.137.2.1 to before 7.2.87.4.1 to...

External exposure likelihood

Halo Surface Signal score for CVE-2024-47575

FortiManager is a centralized management platform for network security appliances. It is commonly deployed as a network-facing service, frequently positioned at the edge or within a management segment where it may be reachable by other network devices or administrators. Given its role as a management console, it is often accessible via the network to facilitate device coordination.

Horizon Alert

Summary of the vulnerability and why it matters

Certain versions of FortiManager and FortiManager Cloud are vulnerable due to a critical function missing authentication. This flaw allows an attacker to execute arbitrary code or commands. The primary business impact could involve unauthorized system control and data compromise.

FortiManager and FortiManager Cloud
Missing authentication for critical function
Arbitrary code execution and command control

Attack Path

How an attacker could exploit the issue

A missing authentication vulnerability allows an attacker to execute arbitrary code or commands on FortiManager systems. This occurs when an attacker sends specially crafted requests to the vulnerable daemon. Successful exploitation could lead to unauthorized code execution, impacting the integrity and confidentiality of the affected systems.

Exposure: Network-accessible daemon
Attacker access: Unauthenticated network request
Trigger: Specially crafted request
Result: Arbitrary code execution

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability in FortiManager presents a significant risk, allowing attackers to execute arbitrary code or commands. This could lead to unauthorized access and control over critical network infrastructure. The ease of exploitation and potential for severe damage necessitate immediate attention.

Attackers with basic skills could exploit.
No special access or conditions needed.
High business risk; treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The identified vulnerability presents a critical risk to organizations utilizing specific versions of FortiManager and FortiManager Cloud. This exposure allows for the execution of arbitrary code or commands through crafted requests, potentially leading to significant business disruption and data compromise. Prompt action is necessary to mitigate these risks.

Find exposed FortiManager assets.
Reduce exposure or isolate risk.
Apply, verify, and monitor fixes.

Frequently asked questions

What is FortiManager and what is it used for?

FortiManager is a centralized management platform designed by Fortinet to help organizations efficiently configure, deploy, and monitor their network security devices, such as FortiGate firewalls. It provides a single interface for managing security policies, device configurations, and firmware updates across potentially large and distributed security infrastructures.

What type of vulnerability does CVE-2024-47575 represent?

CVE-2024-47575 is a 'missing authentication for critical function' vulnerability. This weakness, classified as CWE-306, allows an unauthenticated attacker to execute arbitrary code or commands on vulnerable FortiManager systems by sending specially crafted requests.

What are the conditions for this FortiManager vulnerability to be triggered?

This vulnerability can be triggered when an attacker sends specially crafted requests to the vulnerable FortiManager daemon. Exploitation can occur without needing special access or conditions, and it does not require user interaction to be triggered.

Is FortiManager's exposure to this vulnerability primarily internet-facing or internal?

FortiManager is often deployed as a network-facing service, meaning it is commonly accessible over the network, potentially from the internet or other network segments. This makes it a significant target for external threats, as indicated by its classification as an 'external' exposure.

What are the first steps to take if running vulnerable FortiManager technology?

The immediate first step is to update affected FortiManager devices to a fixed version as soon as possible. If an immediate update is not feasible, apply the available workarounds recommended by Fortinet, such as enabling 'fgfm-deny-unknown' to prevent unauthorized devices from registering.

References

Cyber Threat Intelligence (CTI)

Sources: threatActor

cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day…

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.