Overview
The Cybersecurity and Infrastructure Security Agency (CISA) has added Fortinet’s FortiManager to its known Exploited Vulnerabilities (KEV) catalog, indicating a pressing need for organizations to address the associated risks.
The critical vulnerability identified as CVE-2024-47575 has been assigned a CVSS score of 9.8. This vulnerability affects various versions of FortiManager, including FortiManager 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, and 6.2.0 through 6.2.12, as well as multiple iterations of FortiManager Cloud.
The vulnerability stems from a missing authentication issue within the critical functions of the FortiManager fgfmd daemon, allowing remote, unauthenticated attackers to execute arbitrary commands or code via specially crafted requests. This flaw poses a significant risk to organizations that rely on this technology.
Recovery Methods
Organizations impacted by CVE-2024-47575 are encouraged to undertake specific recovery actions to address the vulnerability effectively. One recommended recovery method is database rebuilding or resynchronization, which helps ensure that the FortiManager configuration remains uncompromised. This can involve installing a fresh FortiManager virtual machine (VM) or reinitializing a hardware model and re-adding devices. Additionally, restoring a backup taken before any indicators of compromise (IoC) detection is advised.
An alternative recovery action is the Quick Recovery Option, which allows for swift recovery without extensive database changes. However, this method requires manual verification of the current configuration. In this case, organizations should install a new FortiManager VM or reinitialize a hardware model and restore components from a compromised FortiManager. They can also restore from a backup taken from the compromised system.
To further mitigate the risks associated with this vulnerability, organizations should consider upgrading to fixed versions of FortiManager or implementing certain workarounds. For FortiManager versions 7.0.12 and above, 7.2.5 and above, and 7.4.3 and above (excluding 7.6.0), it is recommended to enable a configuration that denies unknown devices from registering.
This setting is important as it may prevent FortiGates with serial numbers not listed on the device roster from successfully registering. Additionally, for FortiManager versions 7.2.0 and above, organizations should implement local-in policies to whitelist FortiGate IP addresses that are permitted to connect.
This involves configuring policies to accept connections on port 541 for the specified source addresses. Finally, organizations should ensure that custom certificates are implemented for versions 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above, thereby guaranteeing that only authorized certificates are utilized within their systems.
Recommendations and Mitigations
To effectively combat vulnerabilities like CVE-2024-47575, organizations should:
- Regularly update systems with patches from official vendors and prioritize critical updates.
- Establish an effective patch management strategy to ensure timely application of updates.
- Use network segmentation to protect critical assets and limit exposure to threats.
- Create and maintain a comprehensive incident response plan to address security incidents effectively.
- Utilize monitoring solutions to detect and analyze suspicious activities within the network.
Conclusion
The inclusion of vulnerabilities in CISA’s KEV catalog signals that threat actors are actively exploiting these flaws in real-world scenarios. This development highlights the urgency for organizations to respond promptly to mitigate risks associated with CVE-2024-47575 and similar vulnerabilities. Failure to address these vulnerabilities can lead to severe consequences, including data breaches and system compromises.
