A missing authentication for a critical function vulnerability (CWE-306) in FortiManager fgfmd may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted requests. Reports indicate this vulnerability is being exploited in the wild. #FortiManager #Fortinet
Keypoints
- Vulnerability identified in FortiManager fgfmd daemon (CWE-306).
- Allows remote unauthenticated attackers to execute arbitrary code or commands.
- Impacted devices include old FortiAnalyzer models with FortiManager on FortiAnalyzer and fgfm service enabled.
- Workarounds include upgrading to fixed versions or applying specific configurations (fgfm-deny-unknown, unregistered-log-device detection, FDS settings, local-in policy whitelisting, or certificates).
- Indicators of Compromise (IoCs) include specific log entries, IP addresses, serial numbers, and file paths such as /tmp/.tm and /var/tmp/.tm.
- Risk involves automated exfiltration of sensitive data from FortiManager (IPs, credentials, configurations).
- Recovery methods include rebuilding the FortiManager database or restoring from backups, with careful validation of configuration integrity.
MITRE Techniques
- [T1203] Execution β Exploitation of vulnerabilities to execute arbitrary commands. βA missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.β
- [T1041] Exfiltration β Automated exfiltration of sensitive files containing IPs, credentials, and configurations. βThe identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.β
- [T1003] Credential Dumping β Potential exposure of credentials during the attack. βPotential exposure of credentials during the attack.β
Indicators of Compromise
- [IP Address] FortiManager exfiltration context β 45.32.41.202, 104.238.141.143, 158.247.199.37, 45.32.63.2, 195.85.114.78 (Not observed by Fortinet, reported by Mandiant here)
- [Serial Number] FortiManager device identity β FMG-VMTM23017412
- [File] FortiManager temporary files β /tmp/.tm, /var/tmp/.tm