watchTowr Finds New Zero-Day Vulnerability in Fortinet Products

Security

Attack surface management provider watchTowr claims to have found a new zero-day vulnerability in cybersecurity provider Fortinet’s products.

This flaw would allow a managed FortiGate device to elevate privileges and seize control of the FortiManager instance.

This new vulnerability is similar to a previous flaw discovered in October, CVE-2024-47575, also known as “FortiJump.” Researchers at watchTowr named it “FortiJump Higher.”

Background on FortiJump

FortiJump, or CVE-2024-47575, is a vulnerability in FortiManager, a Fortinet tool used by device administrators to maintain entire fleets of FortiGate appliances.

More specifically, FortiJump is the result of a missing authentication for a critical function (CWE-306) in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

It allows threat actors to use a compromised FortiManager device to execute arbitrary code or commands against other FortiManager devices. 

This vulnerability, which carries a common vulnerability severity score (CVSS) of 9.8, is actively exploited in the wild, sometimes together with CVE-2024-23113, another vulnerability in Fortinet products discovered in February 2024.

FortiJump has been analyzed by several security providers, including Google Cloud-owned Mandiant, Bishop Fox and Rapid 7.

Read more about the rise in vulnerability exploitation: Vulnerability Exploitation on the Rise as Attackers Ditch Phishing

Discovery of FortiJump Higher

In a new report published on November 15, watchTowr said it came across some new issues in FortiManager while trying to reproduce a FortiJump exploit in its lab.

Specifically, watchTowr claimed to have found a new vulnerability with a similar exploit technique that triggers FortiJump – FortiJump Higher – as well as two file overwrite vulnerabilities that could be leveraged to crash the system.

The company also claimed that the patch released by Fortinet, supposed to fix FortiJump, is not effective for all exploit methods.

“[Our findings] imply that Fortinet has simply patched the wrong code, in the wrong file, in an entirely different library,” the watchTowr researchers said in the report.

They claimed FortiJump Higher remains effective even in patched versions, enabling adversaries to escalate privileges from a managed FortiGate appliance to the central FortiManager appliance. They added that compromising any managed FortiGate appliance can be leveraged to gain control over the FortiManager itself – and, consequently, all other managed appliances.

“While we don’t have visibility into the inner workings of advanced persistent threat (APT) groups, in our opinion, it seems highly likely that successful APT groups are not entirely stupid and hold a high probability that if they found one vulnerability in this magical solution of spaghetti – they likely spotted others, which Fortinet have left untouched,” they added. “The low complexity of these vulnerabilities brings into question the overall quality of the FortiManager codebase.”

watchTowr said it contacted Fortinet about this new vulnerability. Nevertheless, it decided to publish its findings before any public response from the security company because its researchers believe that the similarities between FortiJump and FortiJump Higher mean that threat actors actively exploiting the former are likely also exploiting the latter.

Infosecurity has contacted Fortinet. A company spokesperson confirmed the new findings have “been sent on to Fortinet’s HQ, who are handling this request and will be in touch as soon as possible.”

This is a developing story and this article may be updated as new information becomes available.

Products You May Like

Articles You May Like

EU Ramps Up Cyber Resilience with Major Crisis Simulation Exercise
Researchers Warn of Privilege Escalation Risks in Google’s Vertex AI ML Platform
New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration
PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released
CISOs Turn to Indemnity Insurance as Breach Pressure Mounts

Leave a Reply

Your email address will not be published. Required fields are marked *