Assault floor administration supplier watchTowr claims to have discovered a brand new zero-day vulnerability in cybersecurity supplier Fortinet’s merchandise.
This flaw would permit a managed FortiGate machine to raise privileges and seize management of the FortiManager occasion.
This new vulnerability is much like a earlier flaw found in October, CVE-2024-47575, also known as “FortiJump.” Researchers at watchTowr named it “FortiJump Larger.”
Background on FortiJump
FortiJump, or CVE-2024-47575, is a vulnerability in FortiManager, a Fortinet software utilized by machine directors to take care of total fleets of FortiGate home equipment.
Extra particularly, FortiJump is the results of a lacking authentication for a crucial perform (CWE-306) within the FortiManager fgfmd daemon that enables a distant unauthenticated attacker to execute arbitrary code or instructions by way of specifically crafted requests.
It permits menace actors to make use of a compromised FortiManager machine to execute arbitrary code or instructions in opposition to different FortiManager units.
This vulnerability, which carries a typical vulnerability severity rating (CVSS) of 9.8, is actively exploited within the wild, generally along with CVE-2024-23113, one other vulnerability in Fortinet merchandise found in February 2024.
🚨 Fortinet CVE-2024-23113 – actively exploited by state-sponsored hackers – is now being exploited by cybercriminals who’ve reverse-engineered it and are promoting entry to compromised units
If you have not patched, limit port 541 to accredited IPs or implement cert auth. pic.twitter.com/8ay8TnFq1b
— Matt Johansen (@mattjay) November 14, 2024
FortiJump has been analyzed by a number of safety suppliers, together with Google Cloud-owned Mandiant, Bishop Fox and Fast 7.
Discovery of FortiJump Larger
In a new report revealed on November 15, watchTowr mentioned it got here throughout some new points in FortiManager whereas attempting to breed a FortiJump exploit in its lab.
Particularly, watchTowr claimed to have discovered a brand new vulnerability with the same exploit method that triggers FortiJump – FortiJump Larger – in addition to two file overwrite vulnerabilities that may very well be leveraged to crash the system.
The corporate additionally claimed that the patch launched by Fortinet, supposed to repair FortiJump, will not be efficient for all exploit strategies.
“[Our findings] suggest that Fortinet has merely patched the mistaken code, within the mistaken file, in a completely totally different library,” the watchTowr researchers mentioned within the report.
They claimed FortiJump Larger stays efficient even in patched variations, enabling adversaries to escalate privileges from a managed FortiGate equipment to the central FortiManager equipment. They added that compromising any managed FortiGate equipment might be leveraged to achieve management over the FortiManager itself – and, consequently, all different managed home equipment.
“Whereas we don’t have visibility into the interior workings of superior persistent menace (APT) teams, in our opinion, it appears extremely seemingly that profitable APT teams usually are not completely silly and maintain a excessive likelihood that in the event that they discovered one vulnerability on this magical resolution of spaghetti – they seemingly noticed others, which Fortinet have left untouched,” they added. “The low complexity of those vulnerabilities brings into query the general high quality of the FortiManager codebase.”
watchTowr mentioned it contacted Fortinet about this new vulnerability. Nonetheless, it determined to publish its findings earlier than any public response from the safety firm as a result of its researchers imagine that the similarities between FortiJump and FortiJump Larger imply that menace actors actively exploiting the previous are seemingly additionally exploiting the latter.
Infosecurity has contacted Fortinet. An organization spokesperson confirmed the brand new findings have “been despatched on to Fortinet’s HQ, who’re dealing with this request and will probably be in contact as quickly as doable.”
It is a growing story and this text could also be up to date as new data turns into out there.
