FortiManager & FortiAnalyzer - Use after free vulnerability in fgfmsd daemon

Summary

A Use After Free (CWE-416) vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.

Please note that FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:

1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.

Version Affected Solution
FortiAnalyzer 7.0 7.0.0 Upgrade to 7.0.1 or above
FortiAnalyzer 6.4 6.4.0 through 6.4.5 Upgrade to 6.4.6 or above
FortiAnalyzer 6.2 6.2.0 through 6.2.7 Upgrade to 6.2.8 or above
FortiAnalyzer 6.0 6.0.0 through 6.0.10 Upgrade to 6.0.11 or above
FortiAnalyzer 5.6 5.6.0 through 5.6.10 Upgrade to 5.6.11 or above
FortiAnalyzer 5.4 5.4 all versions Migrate to a fixed release
FortiAnalyzer 5.3 5.3 all versions Migrate to a fixed release
FortiAnalyzer 5.2 5.2.4 through 5.2.10 Migrate to a fixed release
FortiManager 7.0 7.0.0 Upgrade to 7.0.1 or above
FortiManager 6.4 6.4.0 through 6.4.5 Upgrade to 6.4.6 or above
FortiManager 6.2 6.2.0 through 6.2.7 Upgrade to 6.2.8 or above
FortiManager 6.0 6.0.0 through 6.0.10 Upgrade to 6.0.11 or above
FortiManager 5.6 5.6.0 through 5.6.10 Upgrade to 5.6.11 or above
FortiManager 5.4 5.4 all versions Migrate to a fixed release
FortiManager 5.2 5.2 all versions Migrate to a fixed release
FortiManager 5.0 5.0 all versions Migrate to a fixed release
FortiPortal 6.0 6.0.0 through 6.0.4 Upgrade to 6.0.6 or above
FortiPortal 5.3 5.3.0 through 5.3.6 Upgrade to 5.3.7 or above
FortiPortal 5.2 5.2 all versions Migrate to a fixed release
FortiPortal 5.1 5.1 all versions Migrate to a fixed release
FortiPortal 5.0 5.0 all versions Migrate to a fixed release
FortiPortal 4.2 4.2.1 through 4.2.2 Migrate to a fixed release
FortiPortal 4.1 4.1 all versions Migrate to a fixed release
FortiPortal 4.0 4.0 all versions Migrate to a fixed release

Workaround:

Disable FortiManager features on the FortiAnalyzer unit using the command below:

config system global set fmg-status disable <--- Disabled by default. end

Acknowledgement

Fortinet is pleased to thank Cyrille Chatras of Orange Group for brining this issue to our attention under responsible disclosure.