A bug in Fortinet FortiManager and FortiAnalyzer allows unauthenticated hackers to run code as root

Fortinet fixes a serious bug in its FortiManager and FortiAnalyzer network management solutions that could be exploited to execute arbitrary code as root.

Fortinet has released security updates to address a serious bug, tracked as CVE-2021-32589, affecting FortiManager and FortiAnalyzer network management solutions.

The CVE-2021-32589 vulnerability is a Use After Free issue that an attacker could exploit to execute arbitrary code as root.

“A Use After Free (CWE-416) vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.” reads the advisory published by the company.

FortiManager and FortiAnalyzer are network management solutions for large enterprises to control and monitor their equipment. The affected products include:

FortiManager versions 5.6.10 and below.
FortiManager versions 6.0.10 and below.
FortiManager versions 6.2.7 and below.
FortiManager versions 6.4.5 and below.
FortiManager version 7.0.0.
FortiManager versions 5.4.x.

FortiAnalyzer versions 5.6.10 and below.
FortiAnalyzer versions 6.0.10 and below.
FortiAnalyzer versions 6.2.7 and below.
FortiAnalyzer versions 6.4.5 and below.
FortiAnalyzer version 7.0.0.

An attacker could trigger the flaw by sending a specially crafted request to the “FGFM” port of a vulnerable device.

The advisory states that FGFM is disabled by default on FortiAnalyzer by default on FortiAnalyzer and can be enabled only on specific hardware models, including 1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E. 

The company also provides workaround to address the issue, it consists of disabling FortiManager features on the FortiAnalyzer unit using the following command:

config system global
set fmg-status disable 

The flaw was reported to the vendor by security expert Cyrille Chatras from the Orange group.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FortiManager)

[adrotate banner=”5″]

[adrotate banner=”13″]