A patch has been released by Fortinet for their FortiManager & FortiAnalyzer platforms. This critical patch resolves a Use After Free vulnerability (CWE-416) that allowed attackers to execute code as administrators on the targeted device. SKOUT recommends that organizations apply the patch immediately, or follow the mitigation steps provided by Fortinet to ensure their infrastructure is protected against this vulnerability.
Please note that SKOUT Cybersecurity products and services are not affected by these vulnerabilities.
Technical Detail & Additional Information
WHAT IS THE THREAT?
The Use After Free vulnerability is a common vulnerability in software explained in CWE-416. This vulnerability pertains to the ability to reference memory after it has been freed, causing a program to crash, use unexpected values, or execute code. Threat actors can create specially crafted requests to the fgfm port on the targeted FortiManager or FortiAnalyzer device to execute code on the device as root, giving them elevated privileges.
WHY IS IT NOTEWORTHY?
This is especially noteworthy because it gives threat actors a method to immediately escalate to root privileges within a network. Considering the popularity of these Fortinet services, organizations should be wary of threat actors utilizing this vulnerability to obtain elevated unauthorized privileges on their network. The severity level of this vulnerability brings high risk to infrastructure and operations for affected organizations.
WHAT IS THE EXPOSURE OR RISK?
Threat actors that take advantage of this vulnerability can execute code on the device as root. Attackers might utilize these privileges to further compromise the network, establishing persistence and then possibly exfiltrating data or deploying ransomware. Though the fgfm port is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models, the vulnerability is a huge threat if left unchecked.
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends following the below:
Upgrade to the following FortiManager or FortiAnalyzer versions:
- Please upgrade to FortiManager version 5.6.11 or above.
- Please upgrade to FortiAnalyzer version 5.6.11 or above.
If you are unable to patch your systems, apply the workaround:
Disable FortiManager features on the FortiAnalyzer unit using these commands:
- config system global
- set fmg-status disable <———– Disabled by default
- Protection with FortiGate: Upgrade to IPS Definitions version 18.00 or above, and make sure the action for signature FG-VD-50483 is set to BLOCK.
- Review the references below to read more about the threat, or recommendations from Fortinet.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.