A critical remote code execution use-after-free vulnerability has been identified that affects Fortinet’s FortiManager and FortiAnalyzer network management solutions. If exploited, a non-authenticated remote attacker could execute code on vulnerable devices with root privileges, which would give the attacker full control of vulnerable devices.
The flaw, tracked as CVE-2021-32589, was discovered by security researcher Cyrille Chatras of Orange Group, who reported the flaw to Fortinet. The flaw is present in the fgfmsd daemon in both solutions. The flaw can be exploited by sending a specially crafted request to the fgfm port on vulnerable devices.
In order to exploit the flaw, fgfm must be enabled. Fortinet reports that fgfm is disabled by default on FortiAnalyzer; however, it is possible for users to enable fgfm on 1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, and 3900E appliances.
FortiAnalyzer will only be vulnerable when it supports FortiManager features that have been enabled on specific hardware, with a very specific upgrade path. Fortinet has issued a patch to fix the vulnerability in all major software releases. To ensure the flaw cannot be exploited, FortiManager and FortiAnalyzer users should ensure they are running the latest versions of the software. The bug has been fixed in the following software versions: 5.6.11, 6.0.11, 6.2.8, 6.4.6, or 7.0.1.
If it is not possible for users to perform a software update immediately, as a workaround, FortiAnalyzer users should disable the FortiManager features on their FortiAnalyzer appliance manually, which can be achieved by entering the following commands in the management console:
config system global
set fmg-status disable
end