Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: MISSING AUTHENTICATION IN FORTIMANAGER IS BEING EXPLOITED FOR ARBITRARY CODE EXECUTION, PATCH IMMEDIATELY!
Image
Published : 25/10/2024
Reference:
Advisory #2024-250
Version:
1.0
Affected software:
FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled: config system global set fmg-status enable end and at least one interface with fgfm service enabled.
FortiManager 6.2.0 through 6.2.12
FortiManager 6.4.0 through 6.4.14
FortiManager 7.0.0 through 7.0.12
FortiManager 7.2.0 through 7.2.7
FortiManager 7.4.0 through 7.4.4
FortiManager 7.6.0
FortiManager Cloud 6.4 all versions
FortiManager Cloud 7.0.1 through 7.0.13
FortiManager Cloud 7.2.1 through 7.2.7
FortiManager Cloud 7.4.1 through 7.4.4
Type:
Missing Authentication leading to Arbitrary Code Execution
CVE/CVSS:
CVE-2024-47575: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
https://www.fortiguard.com/psirt/FG-IR-24-423
Risks
A critical vulnerability is discovered in the Fortinet FortiManager, a software used to manage Fortinet devices from a single console by network administrators. The vulnerability is being actively exploited. Exploitation has severe impact in the confidentiality, integrity and availability of the affected system.
Threat actors were observed exfiltrating detailed configuration data from the devices managed by the compromised FortiManager software that also included information on the users and their FortiOS256-hashed passwords. This data can be used to further compromise the FortiManager and the managed Fortinet devices to cause severe impact on the enterprise environment.
Description
CVE-2024-47575 (also referred as FortiJump) is a missing authentication vulnerability in FortiManager fgfmd daemon that affects a critical function. A remote unauthenticated attacker could execute arbitrary code or commands via specially crafted requests.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Consult the Fortinet advisory for a detailed list of actions to take depending on the version used in your organisation: https://www.fortiguard.com/psirt/FG-IR-24-423.
Mitigate
In cases were patching is not immediately an option, Fortinet further shares mitigation instructions that vary depending on the software version. Consult their advisory.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Fortinet has shared Indicators of Compromise that can be used to monitor and investigate your network for possible intrusions.