Hello everybody. If you use FortiManager from FortiNet you should be prepared to grab the latest available release from the support portal and upgrade.
Patches aren’t out yet. Mitigation is available. If you have FortiManager facing the internet, I’d say remove it from the internet now. #threatintel https://mastodon.green/@fthy/113299522822025433
Patch your FortiManager now. Limit access to it to only from dedicated jump-servers. #fortinet #fortimanager #infosec
Attached: 2 images We are now reporting in our feeds Fortinet IPs still likely vulnerable to CVE-2024-23113 (format string pre-auth RCE). This vulnerability is known to be exploited in the wild. 87,390 IPs found on 2024-10-12 scan. Top: US (14K), Japan (5.1K), India (4.8K) We are sharing daily feeds of vulnerable IPs in our Vulnerable HTTP report: https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ You can track CVE-2024-23113 vulnerable instances over time on our Dashboard: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=other&d1=2024-10-09&d2=2024-10-12&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-23113%2B&dataset=unique_ips&style=stacked Patch details from Fortinet (Feb 8th, 2024): https://fortiguard.com/psirt/FG-IR-24-029 Note this vulnerability has been added recently to the US CISA's Known Exploited Vulnerabilities catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Fortinet's last security blog included a section called "A Call to the Industry: Doing the Right Thing for the Security of our Society", which is good. It talks about "transparent disclosure of discovered vulnerabilities" and "radical transparency".
In other news, Fortigate are almost two weeks into knowing they have a zero day which is actively exploited in one of their products, haven't issued a CVE, haven't done a public writeup, and have patch notes that don't mention the vuln.
Somebody posted the list of impacted FortiManager versions and fixed versions on Reddit. 3 of the versions don’t have patches available.
It’s not on the list but people are saying in the thread FortiManager Cloud is impacted too.
Fortinet’s PSIRT advisory website is still offline.
FGFM - FortiGate to FortiManager Protocol Shodan dork, save for later this week.
https://beta.shodan.io/search?query=port%3A541+xab
Documentation: https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/373486/fgfm-fortigate-to-fortimanager-protocol
"The FortiGate to FortiManager (FGFM) protocol is designed for FortiGate and FortiManager deployment scenarios, especially where NAT is used. These scenarios include the FortiManager on public internet while the FortiGate unit is behind NAT, FortiGate unit is on public internet while FortiManager is behind NAT..."
I've written a thing, and drawn a logo in crayon and an explainer in MS Paint.
Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs
Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do. The thread is a bit wild, I didn’t know about the FortiNet private…
While investigating this one I've found 4 different peeps at 4 different orgs with this.. We really need infosec vendors, when they say they want radical transparency, to have radical transparency.
It should not be me naming vulns in crayon still in 2024.
@[email protected] Can confirm these deets. Definitely worth looking through your logs for newly registered devices named localhost. If you have FDS they will show up as unregistered FDS devices :ablobcatwave:
btw that blog includes a banger detail I'm not sure is widely known yet - threat actor has been combo'ing the other CISA KEV vuln (from earlier in the year) to enter FortiGate, then used this to enter the managing FortiManager, and then using that to go back downstream - i.e. jumping over zoned networks.
As far as I can piece together, this has been happening for a while.
So there's a record somewhere, as FortiNet aren't listing it for some reason, here's the fixed versions for the zero day:
FortiManager 7.4.5: https://docs.fortinet.com/document/fortimanager/7.4.5/release-notes/723553/fortimanager-7-4-5-release
FortiManager 7.2.8:
https://docs.fortinet.com/document/fortimanager/7.2.8/release-notes/972111/resolved-issues
FortiManager 7.0.13:
https://docs.fortinet.com/document/fortimanager/7.0.13/release-notes/972111/resolved-issues
There are currently no patches for 7.6 or 6.4 branches, and the mitigation doesn't work on those.
Kevin Beaumont
System Adminihater