Fortinet PSIRT – FortiManager & FortiAnalyzer – Use after free vulnerability in fgfmsd daemon
Fortinet Fortinet Product Security Incident Response Team (PSIRT) je izdao najnoviju obavijest oko ranjivosti detektirane na FortiManager i FortiAnalyzer uređajima. Više informacija o svemu ovome dostupno je ispod.
Redovito posjećujete Fortinet PSIRT stranicu dostupnu na:
https://www.fortiguard.com/psirt/
Na ovim stranicama nalazi se i ranjivost navedena na početku teksta i kako se ona može otkloniti:
https://www.fortiguard.com/psirt/FG-IR-21-067
A Use After Free (CWE-416) vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.
Please note that FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:
1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.
Impact
Remote code execution as root
Affected Products
FortiManager versions 5.6.10 and below.
FortiManager versions 6.0.10 and below.
FortiManager versions 6.2.7 and below.
FortiManager versions 6.4.5 and below.
FortiManager version 7.0.0.
FortiManager versions 5.4.x.
FortiAnalyzer versions 5.6.10 and below.
FortiAnalyzer versions 6.0.10 and below.
FortiAnalyzer versions 6.2.7 and below.
FortiAnalyzer versions 6.4.5 and below.
FortiAnalyzer version 7.0.0.
Solutions
Please upgrade to FortiManager version 5.6.11 or above.
Please upgrade to FortiManager version 6.0.11 or above.
Please upgrade to FortiManager version 6.2.8 or above.
Please upgrade to FortiManager version 6.4.6 or above.
Please upgrade to FortiManager version 7.0.1 or above.
Please upgrade to FortiAnalyzer version 5.6.11 or above.
Please upgrade to FortiAnalyzer version 6.0.11 or above.
Please upgrade to FortiAnalyzer version 6.2.8 or above.
Please upgrade to FortiAnalyzer version 6.4.6 or above.
Please upgrade to FortiAnalyzer version 7.0.1 or above.
Workaround:
Disable FortiManager features on the FortiAnalyzer unit using the command below:
config system global
set fmg-status disable <— Disabled by default.
end
Protection with FortiGate:
Upgrade to IPS definitions version 18.100 or above, and make sure the action for signature FG-VD-50483 is set to block.
Acknowledgement
Fortinet is pleased to thank Cyrille Chatras of Orange Group for brining this issue to our attention under responsible disclosure.