Updated 08:00 BST, October 24, with comment and link to IOCs from Mandiant
Fortinet has confirmed a zero day vulnerability in its FortiManager firewall management software. CVE-2024-47575 is being exploited in the wild and can be abused (deep joy) by a remote unauthenticated attacker.
The product is used by both managed service providers (MSPs) and government customers among others – which are now at real risk.
Attackers have been tracked automating “via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices” Fortinet said today.
“At this stage, we have not received reports of any low-level system installations of malware or backdoors” added the company in its advisory – comment which is unlikely to reassure customers; many of whom it reportedly emailed privately about the vulnerability last week.
Updated: Mandiant said it has been tracking exploitation since June 27.
It said that the newly identified threat group, tracked as UNC5820, is exfiltrating "detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment."
It has not identified follow-on activity, it added, sharing IOCs.
FortiManager vulnerability: CVE-2024-47575
FortiManager is used to manage FortiGate firewalls. It operates on port 541. A Shodan search by security researcher Kevin Beaumont (who had blogged on the FortiManager vulnerability yesterday, before the CVE was revealed and public advisory published) suggested 60,000+ are exposed.
Beaumont wrote: “FortiNet made a number of errors in how this is implemented. For example, out of the box, by default, FortiManager allows any device, even with an unknown serial number, to register with FortiManager automatically and become a managed device…”
What’s affected?
Fortinet says of the FortiManager vulnerability CVE-2024-47575 that the following versions are affected and have mitigation guidance available:
- FortiManager 7.6.0
- FortiManager 7.4.0 through 7.4.4
- FortiManager 7.2.0 through 7.2.7
- FortiManager 7.0.0 through 7.0.12
- FortiManager 6.4.0 through 6.4.14
- FortiManager 6.2.0 through 6.2.12
- FortiManager Cloud 7.4.1 through 7.4.4
- FortiManager Cloud 7.2 (all versions)
- FortiManager Cloud 7.0 (all versions)
- FortiManager Cloud 6.4 (all versions)
- FortiManager Cloud 7.6 is reportedly not affected.
Fortinet's recommended action, which ensures that the FortiManager configuration was not tampered with, requires "database rebuilding or device configuration resynchronizations at the Device and Policy Package ADOM levels." It proposes:
• Installing a fresh FortiManager VM or re-initializing a hardware model and
adding/discovering the devices.
• Installing a fresh FortiManager VM or re-initializing a hardware model, and restoring a backup taken before the IoC detection.
Customers can get their full-fat set of IOCs and other guidance here.
Chinese hackers notably compromised over 20,000 Fortinet devices in 2022-2023, breaching a large number of defense industry companies. They exploited a previously unseen, bespoke malware for Fortinet devices dubbed COATHANGER that “survives reboots and firmware upgrades.”
Dutch cybersecurity agency NCSC-NL flagged that campaign anew in June and said its earlier February alert – published alongside the country’s Ministry of Defence (MoD) – had underestimated the scale of the campaign. The NCSC added in a June 10 update that the difficulty of removing the persistent secondary stage malware means the threat group likely still has access to the system of a “significant” number of victims.
Fortinet has serious questions to answer about its product security.
CVE-2022-42475, CVE-2022-40684, CVE-2022-4247 all got widely exploited in the wild, whilst in 2023 the firm also said attackers had tampered with the firmware of FortiGate firewall devices; modifying the device firmware image (/sbin/init) to launch a persistent payload (/bin/fgfm) before the boot process began that allowed them to download and write files, open remote shells and exfiltrate data --after attacks that began with the exploitation of CVE-2022-41328, which affects FortiOS.
Then there was (we can do this all day) CVE-2023-27997, found in a Red Team engagement then also identified as exploited in the wild.
As French offensive security firm Lexfo put it when disclosing that Fortinet vulnerability: "We remain doubtful they [Fortinet] ever ran a proper security assessment on the appliance, considering the number and quality of vulnerabilities that were found from 2019 to today."
n.b. Fortinet today described the FortiManager vulnerability CVE-2024-47575 as a "missing authentication for critical function vulnerability in FortiManager fgfmd daemon." That's what critics call "insecure by design", cynics call "a backdoor", and Ivanti probably calls "instant karma" after this threat research.
