Hello everybody. If you use FortiManager from FortiNet you should be prepared to grab the latest available release from the support portal and upgrade.
Patches aren’t out yet. Mitigation is available. If you have FortiManager facing the internet, I’d say remove it from the internet now. #threatintel https://mastodon.green/@fthy/113299522822025433
Patch your FortiManager now. Limit access to it to only from dedicated jump-servers. #fortinet #fortimanager #infosec
Attached: 2 images We are now reporting in our feeds Fortinet IPs still likely vulnerable to CVE-2024-23113 (format string pre-auth RCE). This vulnerability is known to be exploited in the wild. 87,390 IPs found on 2024-10-12 scan. Top: US (14K), Japan (5.1K), India (4.8K) We are sharing daily feeds of vulnerable IPs in our Vulnerable HTTP report: https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ You can track CVE-2024-23113 vulnerable instances over time on our Dashboard: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=other&d1=2024-10-09&d2=2024-10-12&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-23113%2B&dataset=unique_ips&style=stacked Patch details from Fortinet (Feb 8th, 2024): https://fortiguard.com/psirt/FG-IR-24-029 Note this vulnerability has been added recently to the US CISA's Known Exploited Vulnerabilities catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Fortinet's last security blog included a section called "A Call to the Industry: Doing the Right Thing for the Security of our Society", which is good. It talks about "transparent disclosure of discovered vulnerabilities" and "radical transparency".
In other news, Fortigate are almost two weeks into knowing they have a zero day which is actively exploited in one of their products, haven't issued a CVE, haven't done a public writeup, and have patch notes that don't mention the vuln.
Somebody posted the list of impacted FortiManager versions and fixed versions on Reddit. 3 of the versions don’t have patches available.
It’s not on the list but people are saying in the thread FortiManager Cloud is impacted too.
Fortinet’s PSIRT advisory website is still offline.
FGFM - FortiGate to FortiManager Protocol Shodan dork, save for later this week.
https://beta.shodan.io/search?query=port%3A541+xab
Documentation: https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/373486/fgfm-fortigate-to-fortimanager-protocol
"The FortiGate to FortiManager (FGFM) protocol is designed for FortiGate and FortiManager deployment scenarios, especially where NAT is used. These scenarios include the FortiManager on public internet while the FortiGate unit is behind NAT, FortiGate unit is on public internet while FortiManager is behind NAT..."
I've written a thing, and drawn a logo in crayon and an explainer in MS Paint.
Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs
Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do. The thread is a bit wild, I didn’t know about the FortiNet private…
While investigating this one I've found 4 different peeps at 4 different orgs with this.. We really need infosec vendors, when they say they want radical transparency, to have radical transparency.
It should not be me naming vulns in crayon still in 2024.
@[email protected] Can confirm these deets. Definitely worth looking through your logs for newly registered devices named localhost. If you have FDS they will show up as unregistered FDS devices :ablobcatwave:
btw that blog includes a banger detail I'm not sure is widely known yet - threat actor has been combo'ing the other CISA KEV vuln (from earlier in the year) to enter FortiGate, then used this to enter the managing FortiManager, and then using that to go back downstream - i.e. jumping over zoned networks.
As far as I can piece together, this has been happening for a while.
So there's a record somewhere, as FortiNet aren't listing it for some reason, here's the fixed versions for the zero day:
FortiManager 7.4.5: https://docs.fortinet.com/document/fortimanager/7.4.5/release-notes/723553/fortimanager-7-4-5-release
FortiManager 7.2.8:
https://docs.fortinet.com/document/fortimanager/7.2.8/release-notes/972111/resolved-issues
FortiManager 7.0.13:
https://docs.fortinet.com/document/fortimanager/7.0.13/release-notes/972111/resolved-issues
There are currently no patches for 7.6 or 6.4 branches, and the mitigation doesn't work on those.
FortiNet have now gone public about FortiJump, aka CVE-2024-47575 https://fortiguard.fortinet.com/psirt/FG-IR-24-423
Not in the advisory but exploitation stems to at least September, and it's being used to enter downstream networks.
FortiNet have updated the PSIRT entry to include IPs (there’s one additional) and forensics info.
I would recommend FortiManager customers check their boxes, even if the FortiManager itself isn’t directly internet facing - if you have FortiGate firewalls that are.
(Also if you have global Netflow data, check out those IPs 🫡)
Communications Protocol Guide for FGFM protocol
lol at this Watchtowr write up - it’s on the money. Vulns from 1998. Wait until they see the new FortiManager zero day, I wanna see their write up. https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/
@GossiTheDog the IP is also in mandiants writeup but they don't list it as IoC.
We have seen 2/5 of those on Sept. 23
I'm reasonable sure that there should be more but can't confirm any more at the moment.
Needs the crayon logo superimposed over the dog
@GossiTheDog Kevin, you sure that FortiGate devices are able to register by default?
From what I understand the allow_register variable is disabled by default, and when enabled, needs to be coupled with the register_passwd to set a password used during registration.
Also, I am told that the "localhost" devices are appearing under the Unregistered devices tab.
Uh-oh. Have we reached the "logo in ms paint" level of severity? Yikes!
@GossiTheDog So, as I'm trying to gauge impact or potential for impact for my clients; if they're not using Fortimanager, they're fine?
I was getting mixed reporting of fortigates getting enrolled into OTHER fortimanagers, though. That's my real worry. The mitigation for this would be to ensure that fortigates aren't just left hanging out in the wind right?
Can someone please explain this attack flow to me like I'm a 10-year-old?
@dangoodin @GossiTheDog I don't know details, but from reading this with my PSIRT hat on this is what I'm leaning toward: it sounds to me like there's an issue with stealing certs, so first they steal a cert, then they load it onto a Forti device they own, and use the cert to register their attacker-controlled device to your organization. I only see one mention of certs, so alongside the mention of localhost, perhaps they just need to establish some means of being trusted (self-signed for localhost, vs. stolen cert via this vuln?) and then the onboard an attacker-controlled device into the fortimanager pool and use that to cement their access.
From there, they can configure their way into your network or possibly take other admin actions (eg. possibly sync configs from trustworthy managed devices to their own?) It's not super clear from these threads. The mitigation to prevent unknown serial numbers suggests that a speedbump to fast onboarding prevents even a cert-bearing(?) device from being included into the fortimanager
@ckure
@dangoodin @GossiTheDog
Without any further information this is my take as well.
You don't have to steal a certificate however, you just need a valid certificate from any active fortigate appliance it seems
Kevin Beaumont
Luigi 
fellmoon 🏴
System Adminihater
RonnyTNL
Otmar Lendl
Jamie Booth
Zapa 
grey 
tachi
Lawrence Abrams
Ewen McNeill
Arne Visscher
Ryan Clough 
C1S0
Lesley Carhart 
Altytwo Altryness, BS 
Colin Haynes
Interpipes 💙
VessOnSecurity
NosirrahSec 🏴☠️ guillotine enthusiast
Cirio
forivall on hachyderm ₰ 🐻🦉
Zeljka Zorz
Bill
ck0
Blake Ridgway
Dan Goodin
Seth Hanford 🐡
rx13 
Andrzej Stamburski