Skip to content
RADICAL OPAQUENESS

FortiGate admins report active exploitation 0-day. Vendor isn’t talking.

Vulnerability allowing remote code execution has been discussed since at least 9 days ago.

Dan Goodin | 68
A cake made to resemble Fortigate device
Credit: Fortinet
Credit: Fortinet
Story text

Fortinet, a maker of network security software, has kept a critical vulnerability under wraps for more than a week amid reports that attackers are using it to execute malicious code on servers used by sensitive customer organizations.

Fortinet representatives didn’t respond to emailed questions and have yet to release any sort of public advisory detailing the vulnerability or the specific software that’s affected. The lack of transparency is consistent with previous zero-days that have been exploited against Fortinet customers. With no authoritative source for information, customers, reporters, and others have few other avenues for information other than social media posts where the attacks are being discussed.

RCE stands for remote code execution

According to one Reddit post, the vulnerability affects FortiManager, a software tool for managing all traffic and devices on an organization’s network. Specific versions vulnerable, the post said, include FortiManager versions:

  • 7.6.0 and below
  • 7.4.4 and below
  • 7.2.7 and below
  • 7.0.12 and below
  • 6.4.14 and below

Users of these versions can protect themselves by installing versions 7.6.1 or above, 7.4.5 or above, 7.2.8 or above, 7.0.13 or above, or 6.4.15 or above. There are reports that the cloud-based FortiManager Cloud is vulnerable as well.

Some administrators of FortiGate-powered networks report receiving emails from the company notifying them of the available updates and advice to install them. Others say they received no such emails. Fortigate hasn’t published any sort of public advisory or a CVE designation for security practitioners to track the zero-day.

The vulnerability has been discussed since at least October 13. According to independent researcher Kevin Beaumont, the security bug stems from a default FortiManager setting that allows devices with unknown or unauthorized serial numbers to register themselves into an organization’s FortiManager dashboard. Precise details still aren’t clear, but a now-deleted comment on Reddit indicated that the zero-day allows attackers to “steal a Fortigate certificate from any Fortigate, register to your FortiManager and gain access to it.”

Citing the Reddit comment, Beaumont took to Mastodon to explain: “People are quite openly posting what is happening on Reddit now, threat actors are registering rogue FortiGates into FortiManager with hostnames like 'localhost' and using them to get RCE.”

Beaumont wasn’t immediately available to elaborate. In the same thread, another user said that based on the brief description, it appears attackers are somehow stealing digital certificates authenticating a device to a customer network, loading it onto a FortiGate device they own, and then registering the device into the customer network.

The person continued:

From there, they can configure their way into your network or possibly take other admin actions (eg. possibly sync configs from trustworthy managed devices to their own?) It's not super clear from these threads. The mitigation to prevent unknown serial numbers suggests that a speedbump to fast onboarding prevents even a cert-bearing(?) device from being included into the fortimanager.

Beaumont went on to say that based on evidence he’s seen, China-state hackers have “been hopping into internal networks using this one since earlier in the year, looks like.”

60,000 devices exposed

After this post went live on Ars, Beaumont published a post that said the vulnerability likely resides in the FortiGate to FortiManager protocol. FGFM is the language that allows Fortigate firewall devices to communicate with the manager over port 541. As Beaumont pointed out, the Shodan search engine shows more than 60,000 such connections exposed to the Internet.

Beaumont wrote:

There’s one requirement for an attacker: you need a valid certificate to connect. However, you can just take a certificate from a FortiGate box and reuse it. So, effectively, there’s no barrier to registering.

Once registered, there’s a vulnerability which allows remote code execution on the FortiManager itself via the rogue FortiGate connection.

From the FortiManager, you can then manage the legit downstream FortiGate firewalls, view config files, take credentials and alter configurations. Because MSPs — Managed Service Providers — often use FortiManager, you can use this to enter internal networks downstream.

Because of the way FGFM is designed — NAT traversal situations — it also means if you gain access to a managed FortiGate firewall you then can traverse up to the managing FortiManager device… and then back down to other firewalls and networks.

To make matters harder for FortiGate customers and defenders, the company’s support portal was returning connection errors at the time this post went live on Ars that prevented people from accessing the site.

Security through obscurity

FortiGate has a history of silently patching critical security vulnerabilities and disclosing them only after they’re widely exploited. Company representatives have repeatedly opted not to answer Ars' questions about its policy for disclosing security vulnerabilities, particularly those being exploited by nation-state hackers.

FortiGate’s opaqueness in responding to the zero-day comes as Carl Windsor, the company’s chief information security officer, published a post in May affirming what he said was a commitment to “being a role model in ethical and responsible product development and vulnerability disclosure.” He added: “We have a longstanding commitment to responsible radical transparency, which includes proactively upholding the highest standards for responsible disclosure practices, which align with international and industry best practices.”

Earlier this month, Fortinet researchers dropped a 4,000-word analysis of zero-days in the products of rival Ivanti that were under exploitation by nation-state actors.

With no public advisory from Fortinet, the world at large lacks the same kind of important safety information, including the indicators of compromise, how widely exploited the vulnerability is, and what types of malicious activity occur inside infected networks.

Post updated to add comments from Beaumont blog post.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
68 Comments
Staff Picks
f
fuzzyfuzzyfungus
what amazes me is someone would just open up to the entire internet the fortimanager VS restricting it to specific internal network etc..

I assume that some of it is just sloppy; but there are presumably also people specifically using fortimanager to deal with a whole fleet of teeny little branch office or remote work type firewalls(something like the fortigate 30G) that may not even be coming from static IPs; but which need their configs kept in sync and managed as needed.

The fact that the vulnerability apparently involves being able to use random fortigate certs to enroll devices into fortimanager suggests that fortinet might have inadvertently leaned a little too hard into the desire to facilitate EZ-provisioning use cases(rather than default deny with either requiring your own certs loaded for more paranoid environments; or at least blessing clients by serial number with the SN included in the vendor loaded cert for setups where they don't want IT to have to touch every teeny branch firewall before it gets shipped to location.

Sure; if you are using fortimanager to keep a handful of bigger firewalls on a relatively well defined corporate network in sync you've screwed up if the thing is internet accessible; but the relatively tiny devices they also sell suggest that wide-area remote management is also an intended use case.
X
Xelas
This is bad anf Fortinet aren't playing nice.

That said, nobody - as in nobody - should have Fortimanager exposed to the Internet. It should be locked away on your L2 separated Management network, like your other critical management tools.

I will never understand why people do such stupid things. It's the same with vCenter. Or Salt. Or PowerShell. Not meant for inbound Internet traffic. Ever.
Because not every organization is an office building. Fortigates are wildly popular in retail, and managing thousands of site-to-site VPN tunnels is very difficult and generally unreliable, so it is common to have a hybrid model of public FortiManager instances that they use for bulk configuration management and VPN tunnels for things like log traffic, device SSH/GUI access, etc.
When the VPN tunnel goes down at a site, you can still manage it through FortiManager and you have a way to push scripts to the device to bounce the VPN tunnel, update certs, etc.
anguisette
anguisette
So, all of them? Do you really think that every bug gets logged?
do i think every remote code execution vulnerability in a VPN product from a reputable vendor gets publicly disclosed? yes, i do. this is table stakes for a security company nowadays, we're way past "just fix the bug and hope nobody noticed" -- especially since in this case people did notice and the bug is being actively exploited.
Prev story
Next story