Format String Bug in fgfmd

Summary

A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
FortiPAM 1.3 Not affected Not Applicable
FortiPAM 1.2 1.2 all versions Migrate to a fixed release
FortiPAM 1.1 1.1 all versions Migrate to a fixed release
FortiPAM 1.0 1.0 all versions Migrate to a fixed release
FortiProxy 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiProxy 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above
FortiProxy 7.0 7.0.0 through 7.0.15 Upgrade to 7.0.16 or above
FortiWeb 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

FortiOS 6.x is not affected.
Workarounds
For each interface, remove the fgfm access, for example change :
config system interface
edit "portX"
set allowaccess ping https ssh fgfm
next
end
to :
config system interface
edit "portX"
set allowaccess ping https ssh
next
end
Note that this will prevent FortiGate discovery from FortiManager. Connection will still be possible from FortiGate.
Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround.

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

Timeline

2024-02-08: Initial publication
2024-04-09: added more affected products