July 20, 2021
Fortinet has released a security advisory regarding a Use-After-Free vulnerability which can lead to non-authenticated, privileged Remote Code Execution (RCE) on the affected system.
The vulnerability affects FortiManager & FortiAnalyzer fgfmsd daemon.
Please note that FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:
1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.
- CVE-2021-32589 CVSSv3 score 7.5
A Use After Free vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.
- FortiManager versions 5.6.10 and below (Fixed in v. 5.6.11)
- FortiManager versions 6.0.10 and below (Fixed in v. 6.0.11)
- FortiManager versions 6.2.7 and below (Fixed in v. 6.2.8)
- FortiManager versions 6.4.5 and below (Fixed in v. 6.4.6)
- FortiManager version 7.0.0 (Fixed in v. 7.0.1)
- FortiManager versions 5.4.x
- FortiAnalyzer versions 5.6.10 and below (Fixed in v. 5.6.11)
- FortiAnalyzer versions 6.0.10 and below (Fixed in v. 6.0.11)
- FortiAnalyzer versions 6.2.7 and below (Fixed in v. 6.2.8)
- FortiAnalyzer versions 6.4.5 and below (Fixed in v. 6.4.6)
- FortiAnalyzer version 7.0.0 (Fixed in v. 7.0.1)
CYREBRO recommends updating vulnerable products to their respective fixed versions (or newer) as stated in the “Affected Products” section above.
Fortinet has provided a workaround in the scenario that mitigation is not currently possible:
- Disable FortiManager features on the FortiAnalyzer unit using the command below:
config system global
set fmg-status disable <— Disabled by default.
References: FortiGuard Labs advisory
*CYREBRO Cyber Threat Intelligence (CTI) alerts are researched and published by CYREBRO threat intelligence specialists. The aim is to share information about the latest threats and vulnerabilities, and provide recommended mitigation tactics.