Fortinet FortiManager & FortiAnalyzer fgfmsd vulnerability allows RCE

July 20, 2021

Fortinet has released a security advisory regarding a Use-After-Free vulnerability which can lead to non-authenticated, privileged Remote Code Execution (RCE) on the affected system.

The vulnerability affects FortiManager & FortiAnalyzer fgfmsd daemon.

Please note that FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:
1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.

The Vulnerability

A Use After Free vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.

Affected Products

  • FortiManager versions 5.6.10 and below (Fixed in v. 5.6.11)
  • FortiManager versions 6.0.10 and below (Fixed in v. 6.0.11)
  • FortiManager versions 6.2.7 and below (Fixed in v. 6.2.8)
  • FortiManager versions 6.4.5 and below (Fixed in v. 6.4.6)
  • FortiManager version 7.0.0 (Fixed in v. 7.0.1)
  • FortiManager versions 5.4.x
  • FortiAnalyzer versions 5.6.10 and below (Fixed in v. 5.6.11)
  • FortiAnalyzer versions 6.0.10 and below (Fixed in v. 6.0.11)
  • FortiAnalyzer versions 6.2.7 and below (Fixed in v. 6.2.8)
  • FortiAnalyzer versions 6.4.5 and below (Fixed in v. 6.4.6)
  • FortiAnalyzer version 7.0.0 (Fixed in v. 7.0.1)

Mitigation

CYREBRO recommends updating vulnerable products to their respective fixed versions (or newer) as stated in the “Affected Products” section above.

Workaround

Fortinet has provided a workaround in the scenario that mitigation is not currently possible:

  • Disable FortiManager features on the FortiAnalyzer unit using the command below:
    config system global
     set fmg-status disable <— Disabled by default.
     end

References: FortiGuard Labs advisory

*CYREBRO Cyber Threat Intelligence (CTI) alerts are researched and published by CYREBRO threat intelligence specialists. The aim is to share information about the latest threats and vulnerabilities, and provide recommended mitigation tactics.

Sign Up for Updates