Understanding the FortiJump Vulnerability: A Deep Dive into CVE-2024-47575

The cybersecurity landscape is constantly evolving, with new threats emerging almost daily. One of the most pressing issues currently facing organizations is a critical vulnerability within Fortinet’s FortiManager, a widely used tool for managing FortiGate firewalls across extensive networks. This vulnerability, tracked as CVE-2024-47575 and informally referred to as "FortiJump," has been actively exploited in zero-day attacks, raising alarms within the cybersecurity community. This article will delve into the details of this vulnerability, its implications, and the necessary steps organizations should take to safeguard their systems.

Patch Information ‘Leaked’ – How Does That Happen?

Before CVE-2024-47575 was officially designated, discussions about the vulnerability began circulating on various cybersecurity platforms, prompting questions about the transparency of information dissemination. On October 13, cybersecurity researcher Kevin Beaumont took to social media to warn FortiManager users to take immediate protective measures. At that time, Fortinet had not yet publicly acknowledged the vulnerability, although the company had privately notified select customers, providing them with mitigation steps via email.

This lack of formal communication led to frustration among users who felt blindsided by the vulnerability. Discussions on platforms like Reddit highlighted concerns about the inadequacy of update notifications, which often lacked clarity regarding resolved issues. The situation raised significant questions about transparency and the effectiveness of Fortinet’s communication strategy, as many users learned about the zero-day vulnerability through unofficial channels and online discussions.

What is CVE-2024-47575 / FortiJump Vulnerability?

On October 23, 2024, Fortinet officially released an advisory detailing the CVE-2024-47575 vulnerability, which affects the FortiManager API and carries a severity rating of 9.8 (Critical) on the Common Vulnerability Scoring System (CVSS) scale. The vulnerability stems from a lack of authentication for critical functions, allowing remote attackers to execute arbitrary code or commands on vulnerable FortiManager devices by sending specially crafted requests.

The exploitation of this vulnerability poses a significant risk to organizations. Attackers could gain unauthorized access to FortiManager servers, potentially exfiltrating sensitive data such as configuration files, IP addresses, and credentials for managed devices. For Managed Service Providers (MSPs), this vulnerability could enable attackers to traverse networks, increasing the risk for downstream clients. Fortinet has acknowledged that CVE-2024-47575 was actively exploited in the wild before the official patch was released, allowing attackers to remotely control FortiManager devices and potentially compromise connected FortiGate firewalls and networks. Fortunately, Fortinet reported that there have been no confirmed instances of malware, backdoors, or unauthorized changes to managed devices on compromised systems.

In response to the vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-47575 to its Known Exploited Vulnerabilities (KEV) Catalog, mandating that federal agencies patch this vulnerability by the compliance deadline of November 13, 2024.

Analysis and FGFM Exposure

Beaumont’s analysis of the vulnerability, which he dubbed "FortiJump," highlighted the FortiGate to FortiManager (FGFM) protocol as a critical component of the issue. This protocol facilitates communication between FortiManager and FortiGate devices, and attackers can exploit flaws in device authentication. By registering a rogue FortiGate device with the FortiManager, attackers can gain control over managed firewalls and access sensitive configuration data. Even basic security measures can be bypassed, as attackers can reuse certificates from existing FortiGate devices to register their malicious counterparts.

A Shodan search revealed that approximately 60,000 FGFM devices are directly exposed to the internet, with a significant number located in the United States. This alarming statistic underscores the urgency for organizations to assess their exposure and take appropriate action.

Which FortiManager Versions Are Affected?

The CVE-2024-47575 vulnerability impacts several versions of FortiManager and FortiManager Cloud. The affected versions include:

• FortiManager:

  • 7.6.0
  • 7.4.0 through 7.4.4
  • 7.2.0 through 7.2.7
  • 7.0.0 through 7.0.12
  • 6.4.0 through 6.4.14
  • 6.2.0 through 6.2.12
• FortiManager Cloud:
  • 7.4.1 through 7.4.4
  • 7.2.1 through 7.2.7
  • 7.0.1 through 7.0.12

Additionally, older FortiAnalyzer models may also be affected if specific configurations are applied, particularly if the fgfm service is enabled.

How Can You Address CVE-2024-47575?

To mitigate the risks associated with CVE-2024-47575, Fortinet recommends upgrading to fixed versions of FortiManager. The vulnerability is addressed in updated firmware releases, making it essential for organizations to ensure their systems are running these patched versions to prevent exploitation. For detailed information on recommended versions and patching instructions, organizations should refer to the official advisory issued by Fortinet.

Timely updates are critical, as cybercriminals are known to exploit unpatched vulnerabilities for data theft and network infiltration. For those unable to immediately apply patches, Fortinet has provided several workaround options based on the version in use.

Are There Any Workarounds Available?

For organizations unable to apply the patch immediately, Fortinet has outlined several workaround options:

• For versions 7.0.12 and above (except 7.6.0), block unknown devices from registering.
• For versions 7.2.0 and above, implement local-in policies to allow connections only from trusted FortiGate devices.
• For versions 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above, utilize custom certificates to restrict access, ensuring only devices with matching certificates can connect.

Older versions, such as 6.2 and 6.4, require an upgrade to a patched version, as they do not support these workarounds.

Indicators of Compromise (IOCs)

Organizations should be vigilant for Indicators of Compromise (IOCs) associated with the exploitation of CVE-2024-47575. Key IOCs include:

• IP Addresses:
  • 45.32.41.202
  • 104.238.141.143
  • 158.247.199.37
  • 45.32.63.2

Notably, one of these IP addresses (104.238.141.143) was previously linked to SuperShell C2 infrastructure, which was involved in attacks on F5 BIG-IP routers.

• Log Entries:
  • Type=event, subtype=dvm, pri=information, desc="Device, manager, generic, information, log", user="device,…", msg="Unregistered device localhost add succeeded" device="localhost" adom="FortiManager" session_id=0 operation="Add device" performed_on="localhost" changes="Unregistered device localhost add succeeded"
  • Type=event, subtype=dvm, pri=notice, desc="Device, Manager, dvm, log, at, notice, level", user="System", userfrom="", msg="" adom="root" session_id=0 operation="Modify device" performed_on="localhost" changes="Edited device settings (SN FMG-VMTM23017412)"

Conclusion

The FortiJump vulnerability (CVE-2024-47575) represents a significant threat to organizations utilizing FortiManager for firewall management. With active exploitation in the wild, it is crucial for organizations to take immediate action to patch affected systems and implement recommended workarounds if necessary. Transparency in communication from vendors like Fortinet is essential to ensure users are informed and can respond effectively to emerging threats. By staying vigilant and proactive, organizations can better protect themselves against the evolving landscape of cybersecurity threats.