Security appliance slinger Fortinet has warned of a critical vulnerability in its products that can be exploited to allow unauthenticated attackers full control over the target system – providing a particular daemon is enabled.
The vulnerability, discovered by Orange Group security researcher Cyrille Chatras and sent to Fortinet privately for responsible disclosure, lies in the FortiManager and FortiAnalyzer software running atop selected models in the company’s FortiGate security appliance family. Should a particular daemon be enabled, the company admitted, a remote attacker can gain full control.
“A Use After Free (CWE-416) vulnerability in [the] FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorised code as root via sending a specifically crafted request to the fgfm port of the targeted device,” the company confirmed in a statement.
There’s some welcome news, though: the fgfmsd daemon, which handles FortiGate to FortiManager protocol communication, is disabled by default in FortiAnalyzer – and can only be enabled on FortiGate model 1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, and 3900E appliances.
Those with affected FortiManager and FortiAnalyzer installations are advised to upgrade to the most recently released version – 5.6.11, 6.0.11, 6.2.8, 6.4.6, or 7.0.1 or above, depending on which major release of the software you’re running – to close the hole.
Should that be impossible, the company’s workaround is to disable the FortiManager features on the FortiAnalyzer unit manually with the following commands at the management console:
config system global set fmg-status disable end
“Memory related vulnerabilities are a common problem which can often have severe impact, such as is the case here,” application security expert Sean Wright told The Register. “Ensuring appropriate checks are performed to identify these flaws is crucial, for example by using static code scanners which will detect and prevent their presence.
“Alternatively, educating developers about their existence early in the development cycle will ensure code is built securely and without such flaws in the first place. A more drastic approach, which is not always possible, is to move to a language which performs automatic memory management, such as Go or Java.”
The vulnerability is the biggest to hit Fortinet products since October last year, when the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned that flaws in the FortiOS SSL virtual private network (VPN) had been used to gain access to supposedly private networks in “multiple cases.”
More information is available in the FortiGuard Labs security bulletin. Fortinet did not respond to a request for additional comment by the time of publication. ®