Vulnerability Alert - FortiManager & FortiAnalyzer
Fortinet has released security advisory to address a use-after-free vulnerability (CVE-2021-32589) in the FortiManager fgfmsd daemon.[1][2]
A use-after-free condition occurs when a program marks a section of memory as free but then subsequently tries to use that memory, which could result in a program crash.
Please note that FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:
1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.
A remote, unauthenticated attacker could execute arbitrary code as root. This occurs via sending a specifically crafted request to the fgfm port of the targeted device.
The affected versions are:
- FortiManager versions 5.6.10 and below, versions 6.0.10 and below, versions 6.2.7 and below, versions 6.4.5 and below, version 7.0.0. and versions 5.4.x.;
- FortiAnalyzer versions 5.6.10 and below, versions 6.0.10 and below, versions 6.2.7 and below, versions 6.4.5 and below and version 7.0.0.
The users of the impacted versions must upgrade to the most recent version:[1]
- FortiManager version 5.6.11 or above.
- FortiManager version 6.0.11 or above.
- FortiManager version 6.2.8 or above.
- FortiManager version 6.4.6 or above.
- FortiManager version 7.0.1 or above.
- FortiAnalyzer version 5.6.11 or above.
- FortiAnalyzer version 6.0.11 or above.
- FortiAnalyzer version 6.2.8 or above.
- FortiAnalyzer version 6.4.6 or above.
- FortiAnalyzer version 7.0.1 or above.
If it is not possible to upgrade immediately it recommended to disable FortiManager features on the FortiAnalyzer unit using the command below:
config system global
set fmg-status disable
end
[1] https://www.fortiguard.com/psirt/FG-IR-21-067
[2] https://us-cert.cisa.gov/ncas/current-activity/2021/07/19/fortinet-releases-security-updates-fortimanager-and-fortianalyzer