Summary: Fortinet has issued critical security updates for FortiManager to address a vulnerability reportedly exploited by Chinese threat actors, though details and a CVE have not yet been publicly disclosed. The company has advised customers on temporary mitigations while the full scope of the vulnerability remains unclear.
Threat Actor: Chinese threat actors | Chinese threat actors
Victim: Fortinet | Fortinet
Key Point :
- Fortinet has privately notified select customers about the vulnerability and provided temporary mitigation advice.
- The vulnerability may relate to the “Fortigate to FortiManager” communication and has not yet been assigned a CVE.
- Security researcher Kevin Beaumont suggests the vulnerability is being exploited in espionage campaigns by nation-state actors.
- Some FortiManager users remain uninformed about the vulnerability, relying on unofficial sources for information.
In the last couple of days, Fortinet has released critical security updates for FortiManager, to fix a critical vulnerability that is reportedly being exploited by Chinese threat actors.
Security updates are trickling out
The company, which is known for pushing out fixes for critical vulnerabilities before disclosing their existence to the public, has privately notified select customers a week ago and shared temporary mitigation advice.
The advice apparently includes configuring FortiManager to prevent devices with an unknown serial number (i.e., an unauthorized device) to register/connect to them.
Limiting access to FortiManager installations is also generally a good idea, but implementing the patches once they are released is essential. Some are already available from Fortinet’s support portal.
No CVE, no details (yet)
The company has yet to publicly reveal details about or the CVE associated with this vulnerability, though the suggested mitigation might indicate that the issue resides in the “Fortigate to FortiManager” (fgfm) connection / communication / management capability.
Whether it is related to CVE-2024-23113 – a format string vulnerability that affects the FortiOS fgfm daemon – is open to speculation.
CVE-2024-23113 was patched earlier this year in FortiOS, FortiPAM, FortiProxy and FortiWeb. In early October, CISA confirmed that it is being exploited by attackers, and watchTowr Lab researchers released a deep-dive into it.
UPDATE (October 23, 2024, 03:00 a.m. ET):
Fortinet has still not publicly released a security advisory for this issue or assigned it a CVE. The company’s product security incident response team (PSIRT) web page is intermittently accessible.
Time will tell whether their decision to keep this information close to the chest and engage in limited, private disclosure was correct. In the meantime, discussions on Reddit show that some FortiManager users did not get the memo and have had to resort to searching for crucial information from (unofficial) online sources.
One of these sources is security researcher Kevin Beaumont, who has been following this situation for the last ten days or so.
In his recent post, he said that the vulnerability is being exploited by nation state threat actors in espionage campaigns via managed service providers. Based on things he’s witnessed on his own FortiManager honeypot and information he found online, he has provided his view of where the flaw resides and what it allows.
Source: https://www.helpnetsecurity.com/2024/10/21/fortimanager-critical-vulnerability