This reported Fortinet vulnerability, which has been under discussion since mid-October 2024, is causing concern as it allows attackers to execute remote code on FortiGate devices by exploiting a flaw in the FortiGate-to-FortiManager protocol (FGFM). The vulnerability seems to affect FortiManager software versions 7.6.0 and below, allowing rogue FortiGate devices to register themselves into an organization’s network without proper authorization. Attackers have been reportedly stealing digital certificates from FortiGate devices, registering rogue devices into networks, and using them to gain remote access, potentially leading to a compromise of sensitive systems.

Although some administrators have received notification emails about the vulnerability and the availability of patches, Fortinet has not yet issued a public advisory or assigned a CVE designation. This lack of transparency has left users to rely on reports from security researchers and social media. Researchers like Kevin Beaumont suggest that China-state hackers may have been exploiting this vulnerability for months, gaining access to internal networks through exposed FortiGate connections.

Administrators using affected FortiManager versions are advised to update their software to the patched versions (7.6.1 or above) to mitigate the risk. However, as over 60,000 devices are exposed to the internet, many organizations could still be vulnerable until they apply the necessary updates. The fact that Fortinet’s support portal was also returning errors has added to the challenges faced by administrators looking to address the issue.

Affected Versions: The vulnerability impacts various versions of FortiManager:

• 6.0 and below
• 4.4 and below
• 2.7 and below
• 0.12 and below
• 4.14 and below
• Safe Versions: Users should update to:
• 6.1 or above
• 4.5 or above
• 2.8 or above
• 0.13 or above
• 4.15 or above

Vulnerability based information:

• Discovery Timeline: The vulnerability has been under discussion since at least October 13, with reports of its exploitation surfacing shortly thereafter.
• Root Cause: According to independent researcher Kevin Beaumont, the vulnerability arises from a default setting in FortiManager that permits devices with unknown or unauthorized serial numbers to register themselves in an organization’s FortiManager dashboard. This is a significant security flaw as it undermines the integrity of device registration and management.
• Exploitation Potential: A now-deleted Reddit comment suggested that this zero-day vulnerability allows attackers to:
• Steal a FortiGate certificate from any FortiGate device.
• Register the stolen certificate to a compromised FortiManager.
• Gain unauthorized access to the FortiManager, potentially allowing further exploitation of the network.

CVSS:

1. Base Score: Reflects the intrinsic characteristics of a vulnerability.

1. • Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely over the network.
   • Attack Complexity (AC): Low (L) – The exploit does not require special conditions or knowledge.
   • Privileges Required (PR): None (N) – No authentication is required to exploit the vulnerability.
   • User Interaction (UI): None (N) – Exploitation does not require user interaction.
   • Scope (S): Unchanged (U) – The exploitation of the vulnerability does not affect other components beyond the vulnerable component.
   • Confidentiality Impact (C): High (H) – Full access to sensitive data may be obtained.
   • Integrity Impact (I): High (H) – Attackers could modify data or configurations.
   • Availability Impact (A): High (H) – The attacker could cause service disruptions.

 

IMPACT:

The impact of the critical vulnerability in FortiManager can be significant, especially considering its role in network management and security. Here are the key potential impacts associated with this vulnerability:

1. Unauthorized Access

• Attackers could exploit the vulnerability to gain unauthorized access to the FortiManager interface, allowing them to manipulate configurations, manage devices, and monitor network traffic.

2. Remote Code Execution (RCE)

• The ability to execute arbitrary code remotely could enable attackers to install malware, conduct data breaches, or create backdoors for persistent access to the network.

3. Data Exfiltration

• With unauthorized access to FortiManager, attackers could potentially access sensitive data, including configurations, logs, and stored credentials, which can be exploited for further attacks or sold on the dark web.

4. Network Disruption

• Attackers might disrupt network services by altering configurations, disabling security features, or deploying malicious code to cause denial-of-service (DoS) conditions.

5. Compromise of Connected Devices

• Since FortiManager is used to manage FortiGate devices and other network equipment, a breach could lead to the compromise of those connected devices, resulting in a broader impact across the entire network.

6. Reputation Damage

• If the vulnerability is exploited and leads to a data breach or significant downtime, organizations may suffer reputational harm, loss of customer trust, and potential financial repercussions.

7. Compliance Violations

• Organizations subject to regulatory compliance (such as GDPR, HIPAA, or PCI-DSS) could face penalties for failing to secure sensitive data, particularly if unauthorized access results in data breaches.

8. Increased Costs

• The aftermath of a security breach often involves significant costs related to incident response, forensic investigations, system restorations, legal fees, and potential fines for regulatory non-compliance.

9. Potential for Targeted Attacks

• If attackers successfully exploit this vulnerability, they may use it as a foothold to launch further attacks on other systems within the organization or even pivot to attack partners or clients.

Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) are critical for detecting and responding to potential security incidents, especially in the context of vulnerabilities like the one affecting FortiManager.

1. Unauthorized Device Registrations:

1. • Logs showing new devices with unknown or unauthorized serial numbers registered in FortiManager.
   • Device registrations occurring from unusual geographic locations or IP addresses.
2. Suspicious Certificate Activity:
   • Unauthorized FortiGate certificates being registered to your FortiManager.
   • Logs indicating certificate retrieval or export activities that do not align with normal operations.
3. Anomalous Network Traffic:
   • Unusual outgoing or incoming network traffic patterns associated with FortiManager or FortiGate devices.
   • Large data transfers occurring at odd times, especially involving device configurations or sensitive information.
4. Failed Authentication Attempts:
   • Multiple failed login attempts to FortiManager from unknown IP addresses.
   • Unusual successful logins during non-business hours or from unfamiliar locations.
5. Configuration Changes:
   • Unexplained changes to configurations in FortiManager, particularly related to device management settings.
   • Log entries indicating the modification or deletion of device settings or user accounts.
6. Malicious Scripts or Commands:
   • Detection of known malicious payloads or commands attempting to execute on FortiManager.

RECOMMENDATIONS:

• Immediate Actions:
• Update Software:
  • Check for and install the latest available updates for FortiManager. Ensure you are using versions that are not affected by the vulnerability (7.6.1 or above, 7.4.5 or above, etc.).
• Review Default Settings:
  • Disable the setting that allows devices with unknown or unauthorized serial numbers to register themselves in your FortiManager dashboard. This can help mitigate unauthorized access.
• Conduct an Inventory Check:
  • Audit all registered devices on FortiManager to identify any that should not be there. Remove any unauthorized or unknown devices immediately.
• Monitoring and Detection:
• Enhance Network Monitoring:
  • Implement comprehensive logging and monitoring to detect unusual activities or unauthorized device registrations in your FortiManager. Set up alerts for suspicious actions.
• Check for Unusual Certificates:
  • Monitor for any unauthorized FortiGate certificates being registered to your FortiManager. Investigate any anomalies immediately.
• Communication and Engagement:
• Engage with Fortinet:

1. • • Reach out to Fortinet’s support for guidance and to express the need for timely updates regarding the vulnerability. Encourage them to issue a public advisory or a CVE designation.

• Stay Informed:

1. • • Regularly check Fortinet’s website, security forums, and trusted cybersecurity news sources for updates on the vulnerability and potential patches.

• Long-term Security Measures:
• Conduct Security Training:
  • Train your IT staff on security best practices, including recognizing the risks associated with device registration and network access control.
• Implement Access Controls:
  • Review and strengthen access controls on your FortiManager and associated devices. Ensure that only authorized personnel can make changes to device registrations.
• Regular Security Assessments:
  • Conduct periodic security assessments and penetration testing to identify and mitigate vulnerabilities in your network configuration.
• Incident Response:
• Develop an Incident Response Plan:

1. • Ensure you have a plan in place for responding to potential security incidents related to this vulnerability. This should include steps for containment, eradication, and recovery.