• Fortinet remote code

    From Sean Dennis@618:618/10 to All on Tue Jul 20 23:42:08 2021
    (This isn't good. I used to work a lot with Fortinet devices.)

    From: https://www.theregister.com/2021/07/20/fortinet_rce/

    ===
    Fortinet's security appliances hit by remote code execution vulnerability

    Cure worse than the disease for anyone with the 'fgfmsd' daemon
    activated

    Gareth Halfacree Tue 20 Jul 2021 // 14:30 UTC

    ----------------------------------------------------------------------

    Security appliance slinger Fortinet has warned of a critical vulnerability
    in its software that can be exploited to grant unauthenticated attackers
    full control over a targeted system, providing a particular daemon is
    enabled.

    The flaw, discovered by Orange Group security researcher Cyrille Chatras
    and sent to Fortinet privately for responsible disclosure, lies in
    FortiManager and FortiAnalyzer's fgfmsd daemon, which if running and
    vulnerable can be exploited over the network.

    "A Use After Free (CWE-416) vulnerability in [the] FortiManager and
    FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker
    to execute unauthorised code as root via sending a specifically crafted
    request to the FGFM port of the targeted device," the vendor warned
    customers.

    Note that the FGFM service is disabled by default in FortiAnalyzer and can
    only be enabled on 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F,
    and 3900E appliances.

    Those with affected FortiManager and FortiAnalyzer installations are
    advised to upgrade to the most recently released version - 5.6.11, 6.0.11,
    6.2.8, 6.4.6, or 7.0.1 or above, depending on which major release of the
    software you're running - to close the hole.

    Should that be impossible, and you're using a FortiAnalyzer box, a
    workaround is to disable the FortiManager features on the FortiAnalyzer
    unit manually with the following commands at the management console:

    config system global
    set fmg-status disable
    end

    "Memory related vulnerabilities are a common problem which can often have
    severe impact, such as is the case here," application security expert Sean
    Wright told The Register. "Ensuring appropriate checks are performed to
    identify these flaws is crucial, for example by using static code scanners
    which will detect and prevent their presence.

    "Alternatively, educating developers about their existence early in the
    development cycle will ensure code is built securely and without such
    flaws in the first place. A more drastic approach, which is not always
    possible, is to move to a language which performs automatic memory
    management, such as Go or Java."

    The vulnerability is the biggest to hit Fortinet products since October
    last year, when the US Department of Homeland Security's Cybersecurity and
    Infrastructure Security Agency (CISA) warned that flaws in the FortiOS SSL
    virtual private network (VPN) had been used to gain access to supposedly
    private networks in "multiple cases."

    More information is available in the FortiGuard Labs security bulletin.
    Fortinet did not respond to a request for additional comment by the time
    of publication. (R)
    ===

    -- Sean

    ... Government should spend our money like it was their own.
    ___ MultiMail/Win v0.52

    --- Maximus/2 3.01
    * Origin: Outpost BBS // bbs.outpostbbs.net:10123 (618:618/10)