PSIRT Advisories

FortiManager & FortiAnalyzer - Use after free vulnerability in fgfmsd daemon

Summary

A Use After Free (CWE-416) vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.

Please note that FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:
1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E. 

Affected Products

FortiManager versions 5.6.10 and below.
FortiManager versions 6.0.10 and below.
FortiManager versions 6.2.7 and below.
FortiManager versions 6.4.5 and below.
FortiManager version 7.0.0.
FortiManager versions 5.4.x.

FortiAnalyzer versions 5.6.10 and below.
FortiAnalyzer versions 6.0.10 and below.
FortiAnalyzer versions 6.2.7 and below.
FortiAnalyzer versions 6.4.5 and below.
FortiAnalyzer version 7.0.0.

Solutions

Please upgrade to FortiManager version 5.6.11 or above.

Please upgrade to FortiManager version 6.0.11 or above.

Please upgrade to FortiManager version 6.2.8 or above.

Please upgrade to FortiManager version 6.4.6 or above.

Please upgrade to FortiManager version 7.0.1 or above.

 

Please upgrade to FortiAnalyzer version 5.6.11 or above.

Please upgrade to FortiAnalyzer version 6.0.11 or above.

Please upgrade to FortiAnalyzer version 6.2.8 or above.

Please upgrade to FortiAnalyzer version 6.4.6 or above.

Please upgrade to FortiAnalyzer version 7.0.1 or above.

Workaround:

Disable FortiManager features on the FortiAnalyzer unit using the command below:
config system global
set fmg-status disable <--- Disabled by default.
end

Acknowledgement

Fortinet is pleased to thank Cyrille Chatras of Orange Group for brining this issue to our attention under responsible disclosure.