Fortiguard released a security update for Forti Manager and Forti Analyzer to address an issue that provides a direct access to the root user which could lead to remote code of execution .
A Use After Free (CWE-416) vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.
Products under Threat
- FortiManager versions 5.6.10 and below.
- FortiManager versions 6.0.10 and below.
- FortiManager versions 6.2.7 and below.
- FortiManager versions 6.4.5 and below.
- FortiManager version 7.0.0.
- FortiManager versions 5.4.x.
- FortiAnalyzer versions 5.6.10 and below.
- FortiAnalyzer versions 6.0.10 and below.
- FortiAnalyzer versions 6.2.7 and below.
- FortiAnalyzer versions 6.4.5 and below.
- FortiAnalyzer version 7.0.0.
Work Around
Though FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:
1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.
Disable FortiManager features on the FortiAnalyzer unit using the command below:
config system global
set fmg-status disable
end
Solution
To mitigate the issue permanently , Upgrade the existing version as described above to a higher version where this issue is sorted out for both FortiManager & FortiAnalyzer.
