Threat Research

CISA Identifies Critical Vulnerability (CVE-2024-47575) in Fortinet FortiManager

Cyble
Short Summary:

The Cybersecurity and Infrastructure Security Agency (CISA) has added Fortinet’s FortiManager to its known Exploited Vulnerabilities (KEV) catalog due to a critical vulnerability (CVE-2024-47575) with a CVSS score of 9.8. This vulnerability allows remote, unauthenticated attackers to execute arbitrary commands or code, posing significant risks to organizations. Recovery methods and recommendations for mitigation are provided to address this vulnerability effectively.

Key Points:
  • CISA has added FortiManager to its KEV catalog due to CVE-2024-47575.
  • The vulnerability has a CVSS score of 9.8 and affects multiple versions of FortiManager.
  • It allows remote, unauthenticated attackers to execute arbitrary commands or code.
  • Recommended recovery methods include database rebuilding and Quick Recovery Option.
  • Organizations should upgrade to fixed versions of FortiManager and implement workarounds.
  • Regular updates, patch management, and network segmentation are crucial for mitigation.
  • Failure to address this vulnerability can lead to severe consequences, including data breaches.
MITRE ATT&CK TTPs – created by AI
  • Initial Access (T1078)
    • Use of valid accounts to gain access to systems.
  • Execution (T1203)
    • Exploitation of software vulnerabilities to execute arbitrary code.
  • Persistence (T1136)
    • Use of legitimate credentials to maintain access.
  • Privilege Escalation (T1068)
    • Exploitation of vulnerabilities to gain higher privileges.
  • Defense Evasion (T1211)
    • Obfuscation of malicious activities to avoid detection.
  • Impact (T1499)
    • Execution of arbitrary commands leading to data loss or system compromise.

Critical Vulnerability

Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) has added Fortinet’s FortiManager to its known Exploited Vulnerabilities (KEV) catalog, indicating a pressing need for organizations to address the associated risks. 

The critical vulnerability identified as CVE-2024-47575 has been assigned a CVSS score of 9.8. This vulnerability affects various versions of FortiManager, including FortiManager 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, and 6.2.0 through 6.2.12, as well as multiple iterations of FortiManager Cloud.  

The vulnerability stems from a missing authentication issue within the critical functions of the FortiManager fgfmd daemon, allowing remote, unauthenticated attackers to execute arbitrary commands or code via specially crafted requests. This flaw poses a significant risk to organizations that rely on this technology. 

Recovery Methods 

Organizations impacted by CVE-2024-47575 are encouraged to undertake specific recovery actions to address the vulnerability effectively. One recommended recovery method is database rebuilding or resynchronization, which helps ensure that the FortiManager configuration remains uncompromised. This can involve installing a fresh FortiManager virtual machine (VM) or reinitializing a hardware model and re-adding devices. Additionally, restoring a backup taken before any indicators of compromise (IoC) detection is advised. 

An alternative recovery action is the Quick Recovery Option, which allows for swift recovery without extensive database changes. However, this method requires manual verification of the current configuration. In this case, organizations should install a new FortiManager VM or reinitialize a hardware model and restore components from a compromised FortiManager. They can also restore from a backup taken from the compromised system. 

To further mitigate the risks associated with this vulnerability, organizations should consider upgrading to fixed versions of FortiManager or implementing certain workarounds. For FortiManager versions 7.0.12 and above, 7.2.5 and above, and 7.4.3 and above (excluding 7.6.0), it is recommended to enable a configuration that denies unknown devices from registering.  

This setting is important as it may prevent FortiGates with serial numbers not listed on the device roster from successfully registering. Additionally, for FortiManager versions 7.2.0 and above, organizations should implement local-in policies to whitelist FortiGate IP addresses that are permitted to connect.  

This involves configuring policies to accept connections on port 541 for the specified source addresses. Finally, organizations should ensure that custom certificates are implemented for versions 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above, thereby guaranteeing that only authorized certificates are utilized within their systems. 

Recommendations and Mitigations 

To effectively combat vulnerabilities like CVE-2024-47575, organizations should: 

  1. Regularly update systems with patches from official vendors and prioritize critical updates. 

  2. Establish an effective patch management strategy to ensure timely application of updates. 

  3. Use network segmentation to protect critical assets and limit exposure to threats. 

  4. Create and maintain a comprehensive incident response plan to address security incidents effectively. 

  5. Utilize monitoring solutions to detect and analyze suspicious activities within the network. 

Conclusion 

The inclusion of vulnerabilities in CISA’s KEV catalog signals that threat actors are actively exploiting these flaws in real-world scenarios. This development highlights the urgency for organizations to respond promptly to mitigate risks associated with CVE-2024-47575 and similar vulnerabilities. Failure to address these vulnerabilities can lead to severe consequences, including data breaches and system compromises. 

The post CISA Flags Critical Vulnerability (CVE-2024-47575) in Fortinet’s FortiManager  appeared first on Cyble.

Tags: BACKUP, PERSISTENCE, CVE, CLOUD, IMPACT, PRIVILEGE, PATCH, DEFENSE EVASION