Vulnerability

Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild.

Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol.

"A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests," the company said in a Wednesday advisory.

Cybersecurity

The shortcoming impacts FortiManager versions 7.x, 6.x, FortiManager Cloud 7.x, and 6.x. It also affects old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E that have at least one interface with fgfm service enabled and the below configuration on -

config system global
set fmg-status enable
end

Fortinet has also provided three workarounds for the flaw depending on the current version of FortiManager installed -

  • FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above: Prevent unknown devices to attempt to register
  • FortiManager versions 7.2.0 and above: Add local-in policies to allow-list the IP addresses of FortiGates that are allowed to connect
  • FortiManager versions 7.2.2 and above, 7.4.0 and above, 7.6.0 and above: Use a custom certificate

According to runZero, a successful exploitation requires the attackers to be in possession of a valid Fortinet device certificate, although it noted that such certificates could be obtained from an existing Fortinet device and reused.

"The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices," the company said.

It, however, emphasized that the vulnerability has been not weaponized to deploy malware or backdoors on compromised FortiManager systems, nor is there any evidence of any modified databases or connections.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the defect to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by November 13, 2024.

Fortinet also shared the below statement with The Hacker News -

After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response.

CVE-2024-47575 Exploitation Linked to UNC5820

Google-owned Mandiant has attributed the mass exploitation of FortiManager appliances using CVE-2024-47575 to a new threat cluster it's tracking under the name UNC5820.

No less than 50 potentially compromised FortiManager devices across various industries have been identified to date, with evidence of exploitation dating back to June 27, 2024.

Cybersecurity

"UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager," Mandiant researchers Foti Castelan, Max Thauer, JP Glab, Gabby Roncone, Tufail Ahmed, and Jared Wilson said.

"This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment."

The threat intelligence firm, which is working with Fortinet, said it found no evidence that the threat actor abused the configuration data for lateral movement and further post-exploitation. The exact origins and motivations of UNC5820 remain unclear, it added, citing lack of sufficient data.

Over 4,000 Exposed FortiManager Admin Portals Exposed Online

Data shared by attack surface management company Censys has revealed that there are 4,081 exposed FortiManager admin portals online, with nearly 30% of them located in the U.S. Roughly 20% of the publicly-accessible instances are associated with Microsoft Cloud.

That said, it's immediately not clear how many of these instances are actually susceptible to CVE-2024-47575 due to the lack of information about specific device versions.

""The risk that CVE 2024-47575 poses cannot be understated. The flaw is attractive to threat actors who are after large-scale enterprises because of its potential for remote code execution," Tim Peck, senior threat researcher at Securonix, said in a statement shared with The Hacker News.

"In these environments, potential damages can range from unauthorized access to data theft and even disruption of critical operations. Impacted organizations should immediately apply the patch issued on October 24. Then, review access logs for suspicious activity and ensure a robust incident response plan is in place."

Post-Exploitation Activities Associated With CVE-2024-47575

Bishop Fox has shared more technical details of the flaw, characterizing it as a case of command injection arising as a result of missing authentication in the fgfmsd daemon. "Command injections are a very highly exploitable class of bug since the same payload can generally be used for all vulnerable devices and versions," it said.

The lack of appropriate authentication mechanisms could allow an attacker to remotely interact with the FortiManager server by sending specially crafted requests and steal sensitive data.

"The level of access that the attackers would gain is particularly dangerous because FortiManager serves as a central control platform for all connected FortiGate firewalls and other network security devices," Securonix noted in an advisory.

Cybersecurity firm Darktrace said it "identified two clusters of activity involving overlapping indicators of compromise (IoCs), likely constituting unique campaigns targeting Fortinet appliances."

"Analysis of these activity clusters revealed a pattern of malicious activity against likely FortiManager devices, including initial exploitation, payload retrieval, and exfiltration of probable configuration data," researchers said.

The widespread exploitation activity, detected in June and September 2024, is said to have leveraged multiple vulnerabilities, counting CVE 2024-47575, followed by fetching a JavaScript payload from a remote server to collect configuration data and exfiltrating the information to an external IP address using the HTTP protocol.

"Interestingly, in many investigations, analysts noticed a lag period between the initial access and exploitation, and the exfiltration of data via HTTP," Darktrace said. "Such a pause, sometimes over several hours to over a day, could reflect the time needed to aggregate data locally on the host or as a strategic pause in activity to avoid detection."

From FortiJump to FortiJump Higher

New research published by watchTowr has found that the patch for CVE 2024-47575 is incomplete, and that it discovered a new vulnerability triggered via the "som/export" handler, dubbed FortiJump Higher, that results in a post-authentication privilege escalation attack on fully patched instances.

The flaw allows "adversaries to elevate from one managed FortiGate appliance to the central FortiManager appliance," the company said, adding "this has the effect of changing the threat model for FortiManager installations considerably, since ownership of any managed FortiGate appliance is easily elevated to FortiManger itself, and thus to all other managed appliances."

The Hacker News has reached out to Fortinet for comment and we'll update the story if we hear back.

(The story was updated after publication on November 5, 2024, to include additional information about CVE-2024-47575. It was again updated on November 15 with details about FortiJump Higher.)


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.