Hello everybody. If you use FortiManager from FortiNet you should be prepared to grab the latest available release from the support portal and upgrade.
Patches aren’t out yet. Mitigation is available. If you have FortiManager facing the internet, I’d say remove it from the internet now. #threatintel https://mastodon.green/@fthy/113299522822025433
Patch your FortiManager now. Limit access to it to only from dedicated jump-servers. #fortinet #fortimanager #infosec
Attached: 2 images We are now reporting in our feeds Fortinet IPs still likely vulnerable to CVE-2024-23113 (format string pre-auth RCE). This vulnerability is known to be exploited in the wild. 87,390 IPs found on 2024-10-12 scan. Top: US (14K), Japan (5.1K), India (4.8K) We are sharing daily feeds of vulnerable IPs in our Vulnerable HTTP report: https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ You can track CVE-2024-23113 vulnerable instances over time on our Dashboard: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=other&d1=2024-10-09&d2=2024-10-12&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-23113%2B&dataset=unique_ips&style=stacked Patch details from Fortinet (Feb 8th, 2024): https://fortiguard.com/psirt/FG-IR-24-029 Note this vulnerability has been added recently to the US CISA's Known Exploited Vulnerabilities catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Fortinet's last security blog included a section called "A Call to the Industry: Doing the Right Thing for the Security of our Society", which is good. It talks about "transparent disclosure of discovered vulnerabilities" and "radical transparency".
In other news, Fortigate are almost two weeks into knowing they have a zero day which is actively exploited in one of their products, haven't issued a CVE, haven't done a public writeup, and have patch notes that don't mention the vuln.
Kevin Beaumont
Andrzej Stamburski