FortiManager & FortiAnalyzer - Use after free vulnerability in fgfmsd daemon

FortiManager & FortiAnalyzer - Use after free vulnerability in fgfmsd daemon

Summary

A Use After Free (CWE-416) vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.

Please note that FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:
1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E. 

Impact

Remote code execution as root

Affected Products

FortiManager versions 5.6.10 and below.
FortiManager versions 6.0.10 and below.
FortiManager versions 6.2.7 and below.
FortiManager versions 6.4.5 and below.
FortiManager version 7.0.0.
FortiManager versions 5.4.x.


FortiAnalyzer versions 5.6.10 and below.
FortiAnalyzer versions 6.0.10 and below.
FortiAnalyzer versions 6.2.7 and below.
FortiAnalyzer versions 6.4.5 and below.
FortiAnalyzer version 7.0.0.

Solutions

Please upgrade to FortiManager version 5.6.11 or above.

Please upgrade to FortiManager version 6.0.11 or above.

Please upgrade to FortiManager version 6.2.8 or above.

Please upgrade to FortiManager version 6.4.6 or above.

Please upgrade to FortiManager version 7.0.1 or above.

 

Please upgrade to FortiAnalyzer version 5.6.11 or above.

Please upgrade to FortiAnalyzer version 6.0.11 or above.

Please upgrade to FortiAnalyzer version 6.2.8 or above.

Please upgrade to FortiAnalyzer version 6.4.6 or above.

Please upgrade to FortiAnalyzer version 7.0.1 or above.


Workaround:

Disable FortiManager features on the FortiAnalyzer unit using the command below:
config system global
set fmg-status disable <--- Disabled by default.
end


Protection with FortiGate:

Upgrade to IPS definitions version 18.100 or above, and make sure the action for signature FG-VD-50483 is set to block.

Acknowledgement

Fortinet is pleased to thank Cyrille Chatras of Orange Group for brining this issue to our attention under responsible disclosure.