Exploit

CVE-2024-47575

Missing Authentication for Critical Function (CWE-306)

Published: Oct 23, 2024 / Updated: 27d ago

The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices. type=event,subtype=dvm,pri=notice,desc="Device,Manager,dvm,log,at,notice,level",user="System",userfrom="",msg="" adom="root" session_id=0 operation="Modify device" performed_on="localhost" changes="Edited device settings (SN FMG-VMTM23017412)"

Our regular readers may recognize the acronym from our [previous post](https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/), in which we exploit a format string vulnerability in the FortiGate appliance side of FGFM and it’s usage. One thing that makes our lives easier is that Fortinet consistently prioritises (like other appliance manufacturers) debugging capabilities over code security (actually, it’s our opinion that they prioritise a lot over code security, but regardless) making our lives signifcantly easier when trying to work out what’s going on.

As we stated before, FortiJump is a vulnerability not in Fortigate devices, such as their firewalls and other appliances, but in FortiManager, a tool used by device administrators to maintain entire fleets of appliances. One thing that makes our lives easier is that Fortinet consistently prioritises (like other appliance manufacturers) debugging capabilities over code security (actually, it’s our opinion that they prioritise a lot over code security, but regardless) making our lives signifcantly easier when trying to work out what’s going on.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.

Fortinet Updates Guidance and Indicators of Compromise following FortiManager Vulnerability Exploitation Fortinet has updated their security advisory addressing a critical FortiManager vulnerability (CVE-2024-47575) to include additional workarounds and indicators of compromise (IOCs).

About the Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices. The vulnerability was released on October 23 . A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via specially crafted requests. There were signs of exploitation in the wild and the vulnerability was added to the CISA KEV . On November 15 , WatchTowr Labs published a post about this “FortiJump” vulnerability with a video demo and a link to the PoC. The researchers noted that the IOC in the Fortinet bulletin can be bypassed. And the patch itself is incomplete. On a patched device, it is possible to escalate privileges by exploiting a vulnerability called “FortiJump Higher”. На русском

submitted by /u/jnazario to r/blueteamsec [link] [comments]

The flaw, which isn't yet assigned a CVE designation, has been leveraged by the group’s DeepData post-exploitation tool to extract usernames, passwords, and VPN server details directly from memory after user authentication, providing initial access to corporate networks for espionage. Earlier in October 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors were actively exploiting a critical vulnerability in several Fortinet devices, which was previously disclosed and patched in February 2024.