Source: go.theregister.com – Author: Iain Thomson
Updated Fortinet has gone public with news of a critical flaw in its software management platform.
The security vendor apparently began informing customers privately about the issue a few days ago but has since opened up about the issue in its FortiManager control software. The vulnerability, CVE-2024-47575, has a CVSS score of 9.8 and would allow a remote attacker to run code on unpatched systems – and, given the application’s management tools, possibly spread further over a network.
“A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests,” states Fortinet’s advisory, which adds the words no user wants to read: “Reports have shown this vulnerability to be exploited in the wild.”
In order to use the flaw, an attacker would need to have a valid Fortinet device certificate, Rob King, director of security research at flaw finding firm runZero explained. But that could be taken from a legitimate box and reused, and would allow the intruder to log into the management software without proper checks.
On Wednesday, CISA confirmed the bug was under active exploitation and added it to its Known Exploited Vulnerabilities Catalog – meaning Federal IT admins are on notice to fix this fast. CISA wants the rest of us to do likewise.
Security maven Kevin Beaumont has been warning about the issue, which he dubbed FortiJump, for days now. He estimates that at least 60,000 users are exposed.
- Thousands of Fortinet instances vulnerable to actively exploited flaw
- CISA adds fresh Ivanti vuln, critical Fortinet bug to hall of shame
- Fortinet admits miscreant got hold of customer data in the cloud
- China’s FortiGate attacks more extensive than first thought
“I’m not confident that Fortinet’s narrative that they’re protecting customers by not publicly disclosing a vulnerability is protecting customers,” he opined.
“This vulnerability has been under widespread exploitation for a while. It doesn’t protect anybody by not being transparent … except maybe themselves, and any governments that don’t want to be embarrassed.”
Fortinet recommends that users of FortiManager 7.6 and below – and its cloud equivalent – update their software immediately. It has also issued a list of indications of compromise that admins should be on guard for, as well as four IP addresses known to be malicious: 45.32.41.202, 104.238.141.143, 158.247.199.37, and 45.32.63.2.
“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices,” the vendor explained.
“At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices.”
Fortinet has had a tough month. Last week CISA issued an alert about another CVSS 9.8 critical bug, CVE-2024-23113. Although it was patched in February people were tardy and even now an estimated 86,000 users remain at risk. ®
Updated at 15:45 UTC October 24
Those “in-the-wild exploits” that Fortinet finally copped to? According to Mandiant, it’s a mass exploit situation, and a new threat cluster, UNC5820, is behind the attacks.
In a late Wednesday post, the threat intelligence team said it began working with Fortinet earlier this month to investigate the digital break-ins, and determined the exploitation began around June 27.
“UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager,” the investigators wrote. “This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords.”
While the criminals could have abused this access to move laterally to the managed devices, and from there jump into enterprise systems, “at this stage of our investigations there is no evidence” that UNC5820 did compromise any additional environments in these attacks, the team notes.
Additionally, as of right now Mandiant says it lacks “sufficient data to assess actor motivation or location.”
Original Post URL: https://go.theregister.com/feed/www.theregister.com/2024/10/23/fortimanager_critical_vulnerability/
Category & Tags: –
Views: 0