PSIRTUse after free vulnerability in fgfmsd daemon
Summary
A Use After Free (CWE-416) vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.
Please note that FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:
1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.
| Version | Affected | Solution |
|---|---|---|
| FortiAnalyzer 7.0 | 7.0.0 | Upgrade to 7.0.1 or above |
| FortiAnalyzer 6.4 | 6.4.0 through 6.4.5 | Upgrade to 6.4.6 or above |
| FortiAnalyzer 6.2 | 6.2.0 through 6.2.7 | Upgrade to 6.2.8 or above |
| FortiAnalyzer 6.0 | 6.0.0 through 6.0.10 | Upgrade to 6.0.11 or above |
| FortiAnalyzer 5.6 | 5.6.0 through 5.6.10 | Upgrade to 5.6.11 or above |
| FortiAnalyzer 5.4 | 5.4 all versions | Migrate to a fixed release |
| FortiAnalyzer 5.3 | 5.3 all versions | Migrate to a fixed release |
| FortiAnalyzer 5.2 | 5.2.4 through 5.2.10 | Migrate to a fixed release |
| FortiManager 7.0 | 7.0.0 | Upgrade to 7.0.1 or above |
| FortiManager 6.4 | 6.4.0 through 6.4.5 | Upgrade to 6.4.6 or above |
| FortiManager 6.2 | 6.2.0 through 6.2.7 | Upgrade to 6.2.8 or above |
| FortiManager 6.0 | 6.0.0 through 6.0.10 | Upgrade to 6.0.11 or above |
| FortiManager 5.6 | 5.6.0 through 5.6.10 | Upgrade to 5.6.11 or above |
| FortiManager 5.4 | 5.4 all versions | Migrate to a fixed release |
| FortiManager 5.2 | 5.2 all versions | Migrate to a fixed release |
| FortiManager 5.0 | 5.0 all versions | Migrate to a fixed release |
| FortiPortal 6.0 | 6.0.0 through 6.0.4 | Upgrade to 6.0.6 or above |
| FortiPortal 5.3 | 5.3.0 through 5.3.6 | Upgrade to 5.3.7 or above |
| FortiPortal 5.2 | 5.2 all versions | Migrate to a fixed release |
| FortiPortal 5.1 | 5.1 all versions | Migrate to a fixed release |
| FortiPortal 5.0 | 5.0 all versions | Migrate to a fixed release |
| FortiPortal 4.2 | 4.2.1 through 4.2.2 | Migrate to a fixed release |
| FortiPortal 4.1 | 4.1 all versions | Migrate to a fixed release |
| FortiPortal 4.0 | 4.0 all versions | Migrate to a fixed release |
Workaround:
Disable FortiManager features on the FortiAnalyzer unit using the command below:
config system global
set fmg-status disable <--- Disabled by default.
end