Fortinet’s security appliances hit by remote code execution vulnerability

Security appliance slinger Fortinet has warned of a critical vulnerability in its software that can be exploited to grant unauthenticated attackers full control over a targeted system, providing a particular daemon is enabled.

The flaw, discovered by Orange Group security researcher Cyrille Chatras and sent to Fortinet privately for responsible disclosure, lies in FortiManager and FortiAnalyzer’s fgfmsd daemon, which if running and vulnerable can be exploited over the network.

“A Use After Free (CWE-416) vulnerability in [the] FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorised code as root via sending a specifically crafted request to the FGFM port of the targeted device,” the vendor warned customers.

Note that the FGFM service is disabled by default in FortiAnalyzer and can only be enabled on 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, and 3900E appliances.

Those with affected FortiManager and FortiAnalyzer installations are advised to upgrade to the most recently released version – 5.6.11, 6.0.11, 6.2.8, 6.4.6, or 7.0.1 or above, depending on which major release of the software you’re running – to close the hole.

Should that be impossible, and you’re using a FortiAnalyzer box, a workaround is to disable the FortiManager features on the FortiAnalyzer unit manually with the following commands at the management console:

config system global set fmg-status disable
end

“Memory related vulnerabilities are a common problem which can often have severe impact, such as is the case here,” application security expert Sean Wright told The Register. “Ensuring appropriate checks are performed to identify these flaws is crucial, for example by using static code scanners which will detect and prevent their presence.

“Alternatively, educating developers about their existence early in the development cycle will ensure code is built securely and without such flaws in the first place. A more drastic approach, which is not always possible, is to move to a language which performs automatic memory management, such as Go or Java.”

The vulnerability is the biggest to hit Fortinet products since October last year, when the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned that flaws in the FortiOS SSL virtual private network (VPN) had been used to gain access to supposedly private networks in “multiple cases.”

More information is available in the FortiGuard Labs security bulletin. Fortinet did not respond to a request for additional comment by the time of publication. ®

READ MORE HERE