CVE-2024-47575

October 25, 2024

Minutes Read

FortiManager Critical CVE-2024-47575 “FortiJump” Allows RCE

Advisory

Security Advisory

October 25, 2024

Minutes Read

FortiManager Critical CVE-2024-47575 “FortiJump” Allows RCE

This is some text inside of a div block.

Minutes Read

Kudelski Security Team

Find out more

table of contents

Share on

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Summary

On October 23, 2024, Fortinet published an advisory for CVE-2024-47575, a critical-severity zero day affecting FortiManager. Missing authentication for a critical function in the FortiManager fgfmd daemon may allow a remote, unauthenticated attacker to issue commands or execute arbitrary code. Exploitation of this vulnerability, dubbed “FortiJump”, has been observed in the wild as a precursor to automated exfiltration of files from targeted FortiManager instances containing IPs, credentials, and configurations of the devices. While exploitation has been observed in the wild (from as early as June 27 of this year according to Google Mandiant), a proof-of-concept is not publicly available at time of writing.

Affected Systems and/or Applications

The following FortiManager versions are affected:

Version	Affected	Solution
FortiManager 7.6	7.6.0	Upgrade to 7.6.1 or above
FortiManager 7.4	7.4.0 through 7.4.4	Upgrade to 7.4.5 or above
FortiManager 7.2	7.2.0 through 7.2.7	Upgrade to 7.2.8 or above
FortiManager 7.0	7.0.0 through 7.0.12	Upgrade to 7.0.13 or above
FortiManager 6.4	6.4.0 through 6.4.14	Upgrade to 6.4.15 or above
FortiManager 6.2	6.2.0 through 6.2.12	Upgrade to 6.2.13 or above
FortiManager Cloud 7.6	Not affected	Not Applicable
FortiManager Cloud 7.4	7.4.1 through 7.4.4	Upgrade to 7.4.5 or above
FortiManager Cloud 7.2	7.2.1 through 7.2.7	Upgrade to 7.2.8 or above
FortiManager Cloud 7.0	7.0.1 through 7.0.12	Upgrade to 7.0.13 or above
FortiManager Cloud 6.4	6.4 all versions	Migrate to a fixed release

Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer):

config system global set fmg-status enable end

and at least one interface with fgfm service enabled are also impacted by this vulnerability.

Technical Details / Attack Overview

With any valid FortiGate certificate, obtainable from an attacker-controlled FortiManager or FortiGate device, an attacker can register themselves to any internet-accessible FortiManager server and, even if the rogue device is in an unauthorized state, execute API commands which allow the retrieval of sensitive configuration data about managed devices, as well as the users and FortiOS256-hashed passwords. This information could be used to facilitate further compromise of the FortiManager, lateral movement to legitimate managed devices, and ultimately access to the enterprise environment.

In the instances of activity observed by Mandiant, the following files are compressed to a Gzip archive named /tmp/.tm and transferred to an external host, likely via HTTPS:

Filename	Description
/var/dm/RCS	Folder containing configuration files of managed FortiGate devices
/var/dm/RCS/revinfo.db	Database containing additional information of the managed FortiGate devices
/var/fds/data/devices.txt	Contains a list of FortiGate serials and their corresponding IP addresses
/var/pm2/global.db	Global database that contains object configurations, policy packages, and header and footer sensor configuration for IPS
/var/old_fmversion	Contains current FortiManager version, build, and branch information

Threat Actor Post Exploitation Activity

Mandiant has discovered over 50 “potentially compromised FortiManager devices in various industries” and attributes the observed in-the-wild exploitation activity to a new threat cluster, UNC5820. Interestingly, however, Mandiant has observed no signs that the exfiltrated information was used to obtain further access to affected environments, and therefore was not able to determine actor motivation or location.

Workarounds and Mitigations

In addition to upgrading to the “Solution” version from the corresponding “Affected” version to mitigate, Fortinet offers multiple workarounds in their advisory.

For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0), prevent unknown devices to attempt to register:

config system global (global)# set fgfm-deny-unknown enable (global)# end

(Warning: With this setting enabled, be aware that if a FortiGate’s SN is not in the device list, FortiManager will prevent it from connecting to register upon being deployed, even when a model device with PSK is matching.)

Alternatively, for FortiManager versions 7.2.0 and above, you may add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.
Example:

config system local-in-policy edit 1 set action accept set dport 541 set src next edit 2 set dport 541 next end

For 7.2.2 and above, 7.4.0 and above, 7.6.0 and above it is also possible to use a custom certificate which will mitigate the issue:

config system global set fgfm-ca-cert set fgfm-cert-exclusive enable end

And install that certificate on FortiGates. Only this CA will be valid, this can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Clients with vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.