Hello everybody. If you use FortiManager from FortiNet you should be prepared to grab the latest available release from the support portal and upgrade.
Patches aren’t out yet. Mitigation is available. If you have FortiManager facing the internet, I’d say remove it from the internet now. #threatintel https://mastodon.green/@fthy/113299522822025433
Patch your FortiManager now. Limit access to it to only from dedicated jump-servers. #fortinet #fortimanager #infosec
Attached: 2 images We are now reporting in our feeds Fortinet IPs still likely vulnerable to CVE-2024-23113 (format string pre-auth RCE). This vulnerability is known to be exploited in the wild. 87,390 IPs found on 2024-10-12 scan. Top: US (14K), Japan (5.1K), India (4.8K) We are sharing daily feeds of vulnerable IPs in our Vulnerable HTTP report: https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ You can track CVE-2024-23113 vulnerable instances over time on our Dashboard: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=other&d1=2024-10-09&d2=2024-10-12&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-23113%2B&dataset=unique_ips&style=stacked Patch details from Fortinet (Feb 8th, 2024): https://fortiguard.com/psirt/FG-IR-24-029 Note this vulnerability has been added recently to the US CISA's Known Exploited Vulnerabilities catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Fortinet's last security blog included a section called "A Call to the Industry: Doing the Right Thing for the Security of our Society", which is good. It talks about "transparent disclosure of discovered vulnerabilities" and "radical transparency".
In other news, Fortigate are almost two weeks into knowing they have a zero day which is actively exploited in one of their products, haven't issued a CVE, haven't done a public writeup, and have patch notes that don't mention the vuln.
Somebody posted the list of impacted FortiManager versions and fixed versions on Reddit. 3 of the versions don’t have patches available.
It’s not on the list but people are saying in the thread FortiManager Cloud is impacted too.
Fortinet’s PSIRT advisory website is still offline.
FGFM - FortiGate to FortiManager Protocol Shodan dork, save for later this week.
https://beta.shodan.io/search?query=port%3A541+xab
Documentation: https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/373486/fgfm-fortigate-to-fortimanager-protocol
"The FortiGate to FortiManager (FGFM) protocol is designed for FortiGate and FortiManager deployment scenarios, especially where NAT is used. These scenarios include the FortiManager on public internet while the FortiGate unit is behind NAT, FortiGate unit is on public internet while FortiManager is behind NAT..."
I've written a thing, and drawn a logo in crayon and an explainer in MS Paint.
Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs
Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do. The thread is a bit wild, I didn’t know about the FortiNet private…
While investigating this one I've found 4 different peeps at 4 different orgs with this.. We really need infosec vendors, when they say they want radical transparency, to have radical transparency.
It should not be me naming vulns in crayon still in 2024.
@[email protected] Can confirm these deets. Definitely worth looking through your logs for newly registered devices named localhost. If you have FDS they will show up as unregistered FDS devices :ablobcatwave:
btw that blog includes a banger detail I'm not sure is widely known yet - threat actor has been combo'ing the other CISA KEV vuln (from earlier in the year) to enter FortiGate, then used this to enter the managing FortiManager, and then using that to go back downstream - i.e. jumping over zoned networks.
As far as I can piece together, this has been happening for a while.
So there's a record somewhere, as FortiNet aren't listing it for some reason, here's the fixed versions for the zero day:
FortiManager 7.4.5: https://docs.fortinet.com/document/fortimanager/7.4.5/release-notes/723553/fortimanager-7-4-5-release
FortiManager 7.2.8:
https://docs.fortinet.com/document/fortimanager/7.2.8/release-notes/972111/resolved-issues
FortiManager 7.0.13:
https://docs.fortinet.com/document/fortimanager/7.0.13/release-notes/972111/resolved-issues
There are currently no patches for 7.6 or 6.4 branches, and the mitigation doesn't work on those.
FortiNet have now gone public about FortiJump, aka CVE-2024-47575 https://fortiguard.fortinet.com/psirt/FG-IR-24-423
Not in the advisory but exploitation stems to at least September, and it's being used to enter downstream networks.
FortiNet have updated the PSIRT entry to include IPs (there’s one additional) and forensics info.
I would recommend FortiManager customers check their boxes, even if the FortiManager itself isn’t directly internet facing - if you have FortiGate firewalls that are.
(Also if you have global Netflow data, check out those IPs 🫡)
Communications Protocol Guide for FGFM protocol
lol at this Watchtowr write up - it’s on the money. Vulns from 1998. Wait until they see the new FortiManager zero day, I wanna see their write up. https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/
I think this got lost in the mix - the #FortiJump threat actress wasn’t just exploiting FortiManager.
Both FortiGate (the firewall product) and FortiManager (the central manager product) use FGFM on port 541.
The threat actress had different exploits for both products - the February FortiGate CVE and the new FortiManager CVE.
One recommended mitigation in FortiManager is you lock FGFM to allowed IPs of your FortiGates. If you pop the FortiGate first you can reach the FortiManager by design.
lol at this Watchtowr write up - it’s on the money. Vulns from 1998. Wait until they see the new FortiManager zero day, I wanna see their write up. https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/
It’s been a tricky time for Fortinet (and their customers) lately - arguably, even more so than usual. Adding to the steady flow of vulnerabilities in appliances recently was a nasty CVSS 9.8 vulnerability in FortiManager, their tool for central management of FortiGate appliances. As always, the opinions
Kevin Beaumont
PG&E Delenda Est