Attack surface management provider watchTowr claims to have found a new zero-day vulnerability in cybersecurity provider Fortinet’s products.
This flaw would allow a managed FortiGate device to elevate privileges and seize control of the FortiManager instance.
This new vulnerability is similar to a previous flaw discovered in October, CVE-2024-47575, also known as “FortiJump.” Researchers at watchTowr named it “FortiJump Higher.”
Background on FortiJump
FortiJump, or CVE-2024-47575, is a vulnerability in FortiManager, a Fortinet tool used by device administrators to maintain entire fleets of FortiGate appliances.
More specifically, FortiJump is the result of a missing authentication for a critical function (CWE-306) in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
It allows threat actors to use a compromised FortiManager device to execute arbitrary code or commands against other FortiManager devices.
This vulnerability, which carries a common vulnerability severity score (CVSS) of 9.8, is actively exploited in the wild, sometimes together with CVE-2024-23113, another vulnerability in Fortinet products discovered in February 2024.
🚨 Fortinet CVE-2024-23113 – actively exploited by state-sponsored hackers – is now being exploited by cybercriminals who have reverse-engineered it and are selling access to compromised devices
If you haven’t patched, restrict port 541 to approved IPs or enforce cert auth. pic.twitter.com/8ay8TnFq1b
— Matt Johansen (@mattjay) November 14, 2024
FortiJump has been analyzed by several security providers, including Google Cloud-owned Mandiant, Bishop Fox and Rapid 7.
Discovery of FortiJump Higher
In a new report published on November 15, watchTowr said it came across some new issues in FortiManager while trying to reproduce a FortiJump exploit in its lab.
Specifically, watchTowr claimed to have found a new vulnerability with a similar exploit technique that triggers FortiJump – FortiJump Higher – as well as two file overwrite vulnerabilities that could be leveraged to crash the system.
The company also claimed that the patch released by Fortinet, supposed to fix FortiJump, is not effective for all exploit methods.
“[Our findings] imply that Fortinet has simply patched the wrong code, in the wrong file, in an entirely different library,” the watchTowr researchers said in the report.
They claimed FortiJump Higher remains effective even in patched versions, enabling adversaries to escalate privileges from a managed FortiGate appliance to the central FortiManager appliance. They added that compromising any managed FortiGate appliance can be leveraged to gain control over the FortiManager itself – and, consequently, all other managed appliances.
“While we don’t have visibility into the inner workings of advanced persistent threat (APT) groups, in our opinion, it seems highly likely that successful APT groups are not entirely stupid and hold a high probability that if they found one vulnerability in this magical solution of spaghetti – they likely spotted others, which Fortinet have left untouched,” they added. “The low complexity of these vulnerabilities brings into question the overall quality of the FortiManager codebase.”
watchTowr said it contacted Fortinet about this new vulnerability. Nevertheless, it decided to publish its findings before any public response from the security company because its researchers believe that the similarities between FortiJump and FortiJump Higher mean that threat actors actively exploiting the former are likely also exploiting the latter.
Infosecurity has contacted Fortinet. A company spokesperson confirmed the new findings have “been sent on to Fortinet’s HQ, who are handling this request and will be in touch as soon as possible.”
This is a developing story and this article may be updated as new information becomes available.