Fortinet releases patches for publicly undisclosed critical FortiManager vulnerability

In the last couple of days, Fortinet has released critical security updates for FortiManager, to fix a critical vulnerability that is reportedly being exploited by Chinese threat actors.

Security updates are trickling out

The company, which is known for pushing out fixes for critical vulnerabilities before disclosing their existence to the public, has privately notified select customers a week ago and shared temporary mitigation advice.

The advice apparently includes configuring FortiManager to prevent devices with an unknown serial number (i.e., an unauthorized device) to register/connect to them.

Limiting access to FortiManager installations is also generally a good idea, but implementing the patches once they are released is essential. Some are already available from Fortinet’s support portal.

No CVE, no details (yet)

The company has yet to publicly reveal details about or the CVE associated with this vulnerability, though the suggested mitigation might indicate that the issue resides in the “Fortigate to FortiManager” (fgfm) connection / communication / management capability.

Whether it is related to CVE-2024-23113 – a format string vulnerability that affects the FortiOS fgfm daemon – is open to speculation.

CVE-2024-23113 was patched earlier this year in FortiOS, FortiPAM, FortiProxy and FortiWeb. In early October, CISA confirmed that it is being exploited by attackers, and watchTowr Lab researchers released a deep-dive into it.

UPDATE (October 23, 2024, 03:00 a.m. ET):

Fortinet has still not publicly released a security advisory for this issue or assigned it a CVE. The company’s product security incident response team (PSIRT) web page is intermittently accessible.

Time will tell whether their decision to keep this information close to the chest and engage in limited, private disclosure was correct. In the meantime, discussions on Reddit show that some FortiManager users did not get the memo and have had to resort to searching for crucial information from (unofficial) online sources.

One of these sources is security researcher Kevin Beaumont, who has been following this situation for the last ten days or so.

In his recent post, he said that the vulnerability is being exploited by nation state threat actors in espionage campaigns via managed service providers. Based on things he’s witnessed on his own FortiManager honeypot and information he found online, he has provided his view of where the flaw resides and what it allows.

UPDATE (October 24, 2024, 11:10 a.m. ET):

The title has been modified to specify that the vulnerability was not publicly disclosed by Fortinet at time of writing, but only privately.

OPIS OPIS

OPIS

Don't miss