Fortiguard released a security update for Forti Manager and Forti Analyzer to address an issue that provides a direct access to the root user which could lead to remote code of execution .

A Use After Free (CWE-416) vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.

Products under Threat

  • FortiManager versions 5.6.10 and below.
  • FortiManager versions 6.0.10 and below.
  • FortiManager versions 6.2.7 and below.
  • FortiManager versions 6.4.5 and below.
  • FortiManager version 7.0.0.
  • FortiManager versions 5.4.x.
  • FortiAnalyzer versions 5.6.10 and below.
  • FortiAnalyzer versions 6.0.10 and below.
  • FortiAnalyzer versions 6.2.7 and below.
  • FortiAnalyzer versions 6.4.5 and below.
  • FortiAnalyzer version 7.0.0.

Work Around

Though FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:
1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E. 

Disable FortiManager features on the FortiAnalyzer unit using the command below:
config system global
set fmg-status disable
end

Solution

To mitigate the issue permanently , Upgrade the existing version as described above to a higher version where this issue is sorted out for both FortiManager & FortiAnalyzer.