CVE-2024-47575 - Critical Zero-Day Exploited in the wild for FortiManager

FortiManager API Vulnerability (CVE-2024-47575): Critical Zero-Day Exploited in the Wild

On October 23, 2024, Fortinet disclosed a critical zero-day vulnerability affecting their FortiManager platform, identified as CVE-2024-47575. This vulnerability, carrying a CVSS score of 9.8, is due to missing authentication for a critical function (CWE-306) in the FortiManager's fgfmd daemon. The flaw allows unauthenticated attackers to execute arbitrary code or commands on affected systems using specially crafted requests.

This vulnerability has been confirmed to be exploited in the wild, with attackers leveraging the flaw to exfiltrate sensitive files, including IP addresses, credentials, and device configurations from FortiManager systems.

Vulnerability Overview

The CVE-2024-47575 vulnerability impacts the FortiManager API, enabling attackers to bypass authentication and gain control of FortiManager systems. From there, they can access managed Fortinet devices, making this flaw particularly dangerous for Managed Service Providers (MSPs) who rely on FortiManager to centrally manage client environments.

Reports of exploitation began to surface around October 13, 2024, when private warnings were sent to some FortiManager customers by Fortinet. However, the wider public only became aware of the flaw in the following days through leaked discussions on Reddit and reports from cybersecurity researchers, including high-profile expert Kevin Beaumont, who coined the term "FortiJump" to describe this attack.

It should be noted that 256 Solutions does NOT presently use FortiManager to manage our Fortigates that are deployed. All Fortigates are managed locally at through the customer premesis. If you are reading this, and you are a customer of 256 Solutions you are NOT affected.

Impact and Exploitation

According to Fortinet’s advisory, attackers are using this vulnerability to automate the exfiltration of files from compromised FortiManager servers. The stolen data includes critical information about managed devices, such as:

• IP addresses

• Credentials

• Device configurations

  
  

The exfiltrated data could allow attackers to target downstream systems managed by FortiManager, expanding their access to corporate or client networks. While Fortinet has noted that no malware or backdoors have been detected on compromised systems, the risk of further exploitation remains high.

Affected Versions

The following versions of FortiManager and FortiManager Cloud are vulnerable to CVE-2024-47575:

• FortiManager 7.6.0

• FortiManager 7.4.0 to 7.4.4

• FortiManager 7.2.0 to 7.2.7

• FortiManager 7.0.0 to 7.0.12

• FortiManager 6.4.0 to 6.4.14

• FortiManager 6.2.0 to 6.2.12

• FortiManager Cloud 7.4.1 to 7.4.4

• FortiManager Cloud 7.2 (all versions)

• FortiManager Cloud 7.0 (all versions)

• FortiManager Cloud 6.4 (all versions)

FortiManager Cloud 7.6 is not affected.

Mitigation and Workarounds

Fortinet has released patches to address this vulnerability, and customers are strongly urged to update their systems immediately to the latest fixed versions listed in the official advisory. If updating is not possible, Fortinet provides the following workarounds:

Deny Unknown Devices

For certain FortiManager versions (7.0.12+, 7.2.5+, and 7.4.3+), prevent unknown devices from registering using the following command in CLI:

config system global
(global)# set fgfm-deny-unknown enable
(global)# end

Whitelist IP Addresses

For versions 7.2.0 and above, create local-in policies to whitelist trusted FortiGate IP addresses:

config system local-in-policy
edit 1
set action accept
set dport 541
set src
next
edit 2
set dport 541
next
end

Custom Certificates

Implement custom certificates in versions 7.2.2+ and 7.4.0+ to secure the FGFM SSL tunnel:

config system global
set fgfm-ca-cert
set fgfm-cert-exclusive enable
end

Recovery: If you suspect your FortiManager system has been compromised, Fortinet recommends creating backups, reviewing configurations carefully, and rotating all credentials for managed devices. Full system reinstallation with fresh configurations is also advised to ensure integrity.

Indicators of Compromise (IoCs)

Administrators should look for the following IoCs in their environments to detect possible exploitation:

• Log entries showing the addition of unregistered devices named "localhost":

  shell

  Copy code

  type=event,subtype=dvm,pri=information,msg="Unregistered device localhost add succeeded"

• IP addresses involved in attacks:

  • 45.32.41.202

  • 104.238.141.143

  • 158.247.199.37

  • 45.32.63.2

• File Indicators such as /tmp/.tm and /var/tmp/.tm.

The CVE-2024-47575 vulnerability is a significant risk for organizations using FortiManager, especially MSPs managing multiple environments. With active exploitation reported, it’s crucial to patch your systems immediately or implement workarounds to protect your network. Stay vigilant, monitor for IoCs, and review your configurations to ensure the safety of your systems.

For further details, visit Fortinet's advisory.

256 Solutions is a Hamilton-Based IT Services provider providing services to business throughout Hamilton, Burlington, Oakville, and the Niagara Region. If you are trying to manage your own environment and are overwhelmed with the number of vulnerabilities and updates you need to process please contact us. We will be happy to look after this for you and let you focus on running your business.