Fortinet has confirmed a critical-severity vulnerability in one of its products, and urged customers to apply the released fix immediately.
In a security advisory, the cybersecurity company said it uncovered a bug in FortiManager that would allow threat actors to remotely execute arbitrary code, or commands, via specially crafted requests.
The bug resides in FortiManager’s fgfmd daemon, it was added.
Critical vulnerability
The vulnerable versions are:
Fortinet 6.2.0 – 6.2.12, 6.4.0-6.4.14, 7.0.0 – 7.0.12, 7.2.0 -7.2.7, 7.4.0 – 7.44, and 7.6.0.
Furthermore, a few versions of FortiManager Cloud were also said to be vulnerable: All 6.4 versions, 7.0.1 – 7.0.12, 7.2.1 – 7.2.7, and 7.4.1 – 7.4.4.
FortiManager Cloud 7.6 is not affected.
The bug is deemed critical, with a severity score of 9.8. It is tracked as CVE-2024-47575, and a fix is already available. Fortinet also said there were three possible workarounds, depending on the versions of the software in use.
Therefore, for FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0), users could prevent unknown devices from attempting to register “config system global”, “(global)# set fgfm-deny-unknown enable,” or “(global)# end”.
Users of FortiManager versions 7.2.0 and above, a workaround includes adding local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect, while for 7.2.2 and above, 7.4.0 and above, 7.6.0 and above, it is possible to use a custom certificate which will mitigate the issue.
The company claims the bug is already being exploited in the wild, and urges its customers to protect their premises.
“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices,” the advisory reads.
“At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices.”
More from TechRadar Pro
https://cdn.mos.cms.futurecdn.net/exjZtnyH8bykMKrG4TDthC-1200-80.jpg
Source link
