Published: 24 October 2024
Prepared by: Jack Rutherford, Chief Technology Officer
Purpose
The purpose of this bulletin is to address a recent report by the Australian Cyber Security Centre (ACSC) and Mandiant (Google) surrounding the active exploitation of a CRITICAL-risk vulnerability present in Fortinet FortiManager.
As this vulnerability allows potential attackers to perform unauthenticated Remote Code Execution (RCE), and due to the fact that Mandiant have uncovered a campaign of mass exploitation of this vulnerability, the Triskele Labs team strongly advises that all organisations using affected versions of FortiManager should follow the remediation steps outlined in the subsequent sections. This vulnerability is being tracked as CVE-2024-47575.
Furthermore, Triskele Labs strongly advises that where possible, Fortinet FortiManager is not exposed to the Internet, to prevent threats of this nature in future.
CVE-2024-23113 Details
On 23 October 2024, FortiGuard Labs published vulnerability disclosure (FG-IR-24-423) reserved as CVE-2024-47575, impacting the following versions of FortiOS.
|
Version
|
Affected
|
Solution
|
|
FortiManager 7.6
|
7.6.0
|
Upgrade to 7.6.1 or above
|
|
FortiManager 7.4
|
7.4.0 through 7.4.4
|
Upgrade to 7.4.5 or above
|
|
FortiManager 7.2
|
7.2.0 through 7.2.7
|
Upgrade to 7.2.8 or above
|
|
FortiManager 7.0
|
7.0.0 through 7.0.12
|
Upgrade to 7.0.13 or above
|
|
FortiManager 6.4
|
6.4.0 through 6.4.14
|
Upgrade to 6.4.15 or above
|
|
FortiManager 6.2
|
6.2.0 through 6.2.12
|
Upgrade to 6.2.13 or above
|
|
FortiManager Cloud 7.6
|
Not affected
|
Not Applicable
|
|
FortiManager Cloud 7.4
|
7.4.1 through 7.4.4
|
Upgrade to 7.4.5 or above
|
|
FortiManager Cloud 7.2
|
7.2.1 through 7.2.7
|
Upgrade to 7.2.8 or above
|
|
FortiManager Cloud 7.0
|
7.0.1 through 7.0.12
|
Upgrade to 7.0.13 or above
|
|
FortiManager Cloud 6.4
|
6.4 all versions
|
Migrate to a fixed release
|
Impact
The attack paths for this vulnerability could be used for initial access to a network, data exfiltration, data encryption, or network traversal. Due to the criticality of this vulnerability and its potential exploitation, devices using affected versions of FortiManager should be treated as an optimal target for a threat actor and patched as a priority for the business, to prevent exfiltration of data and leakage of Personally Identifiable Information (PII), and other sensitive data.
This vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) score of 9.8/10.
Mitigation Actions
Triskele Labs recommends upgrading to the latest version of FortiManger immediately, in-line with the advice from FortiGuard Labs. The upgrade paths in the table below, provided by FortiGuard Labs, can be used to mitigate this vulnerability:
If you are utilising an instance of FortiManager listed as impacted by this vulnerability, Triskele Labs recommends reviewing the firewall logs for unusual activity, in case this vulnerability has already been exploited. If this is the case, persistence may already be present, which an update will not remediate.
Triskele Labs recommends that where possible, administrative interfaces such as FortiManager are never exposed to the Internet, to prevent the exploitation of vulnerabilities of this nature.
Detection Capabilities
Triskele Labs SOC customers with our Vulnerability Scanning service are being assessed currently. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored for IOCs and Lateral Movement.
References
