- Red plus Blue makes Purple!/
- Active Vulnerability List/
- 2024/
- CVE-2024-23113 CVE-2024-47575 | Fortinet | LPE-RCE/
CVE-2024-23113 CVE-2024-47575 | Fortinet | LPE-RCE
| Vulnerability | CVE-2024-23113 & CVE-2024-47575 |
|---|---|
| Type | Privilege Escalation and Remote Code Execution |
| Description | These vulnerabilities affect Fortinet FortiManager, a centralized management tool for FortiGate appliances. CVE-2024-23113 allows privilege escalation by exploiting weak session management and permission validation flaws. CVE-2024-47575 facilitates remote code execution via FGFM (FortiGate-to-FortiManager) protocol, which lacks sufficient security controls, enabling attackers to manipulate authenticated FortiGate devices to control FortiManager instances. These flaws are actively exploited in the wild. |
| Affected Systems | Fortinet FortiManager (versions prior to patched releases) and FortiGate appliances using FGFM for central management. |
| Attack Vector | Remote: Attackers exploit FGFM protocol weaknesses and session handling vulnerabilities to gain unauthorized access and execute arbitrary commands. Exploitation involves crafting malicious packets or leveraging authenticated FortiGate devices. |
| Exploit Mechanics | CVE-2024-23113 (Privilege Escalation) - Exploits weak session handling in FortiManager. - Attackers manipulate session tokens or bypass permission checks to gain administrative privileges. - Includes session hijacking or unauthorized admin account creation. CVE-2024-47575 (Remote Code Execution) - Leverages FGFM (FortiGate-to-FortiManager) protocol over TCP port 541. - Attackers register malicious or compromised FortiGate devices. - Injects payloads via insufficient validation in communication, allowing arbitrary command execution. - Debugging features in FortiGate appliances expose protocol details, aiding exploitation. |
| The Impact of the Bug | - Privilege escalation allows attackers to gain administrative control over FortiManager instances. - Remote code execution risks complete system compromise, impacting all managed FortiGate devices and potentially the entire network infrastructure. |
| Detection Techniques | Log Analysis - Monitor FortiManager logs for: - Unexpected device registrations. - Unusual administrative actions or session escalations. - Commands/actions initiated by unknown session tokens. Network Traffic Inspection - Analyze TCP port 541 traffic for: - Malformed FGFM packets. - Suspicious or large payloads. - Irregular communication patterns. File Integrity Monitoring - Monitor critical FortiManager system files for unexpected changes. Behavioral Detection - Deploy EDR tools to monitor unusual behaviors: - High-frequency administrative actions. - Unauthorized command executions linked to debugging features. IoC Correlation - Compare logs and traffic against known IoCs from security advisories. FortiManager Audits - Audit registered devices regularly to ensure only legitimate devices are authorized. - Validate session logs for anomalies (e.g., frequent invalid tokens). |
| How to detect infections | - Log Analysis: Monitor FortiManager logs for unauthorized device registrations or anomalous commands. - Protocol Monitoring: Inspect traffic on TCP port 541 for unexpected FGFM messages or packet patterns. - Endpoint Detection: Use EDR tools to identify unauthorized modifications in FortiManager or its configurations. |
| Mitigation Steps | - Apply the latest patches released by Fortinet to address these vulnerabilities. - Restrict access to FortiManager and FortiGate appliances by implementing strict network segmentation and access control. - Regularly audit registered devices and session logs for anomalies. - Disable or limit debugging functionalities in production environments to reduce exposure. |
| Workarounds | - Isolate FortiManager instances from the internet and allow access only through a secure VPN. - Temporarily disable FGFM protocol communications if not immediately required for operations. |
| References | - WatchTowr Blog - Hop-Skip-FortiJump-FortiJump-Higher |