Demo of the CyCognito Platform

See the CyCognito platform in action to understand how it can help you identify, prioritize and eliminate your most critical risks. 

 
State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024. 

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

 
Research

Emerging Threat: FortiJump (CVE-2024-47575) 

Emma-Zaballos
By Emma Zaballos
Product Marketing Manager
October 29, 2024

What is FortiJump? 

CVE-2024-47575, also known as FortiJump, is a critical (9.8) missing authentication vulnerability affecting critical functions in FortiManager and FortiManager Cloud versions. Threat researcher Kevin Beaumont published a blog post on October 22nd, 2024 identifying this vulnerability as a zero day. This vulnerability is separate from CVE-2024-23113, which also affects FortiGate devices. 

FortiJump affects the FortiGate to FortiManager (FGFM) protocol, which is used throughout FortiGate and FortiManager deployments to manage FortiGate firewalls, including creating groups, adding devices, installing policy packages, and managing device settings.  

A Shodan search reveals approximately 60,000 FGFM assets are externally exposed worldwide, indicating a significant potential scale of exploitation.

What assets are affected by FortiJump?

This vulnerability affects the FortiManager versions below:

  • FortiManager 7.6.0
  • FortiManager 7.4.0 through 7.4.4
  • FortiManager 7.2.0 through 7.2.7
  • FortiManager 7.0.0 through 7.0.12
  • FortiManager 6.4.0 through 6.4.14
  • FortiManager 6.2.0 through 6.2.12
  • FortiManager Cloud 7.4.1 through 7.4.4
  • FortiManager Cloud 7.2.1 through 7.2.7
  • FortiManager Cloud 7.0.1 through 7.0.12
  • FortiManager Cloud 6.4 all versions

Fortinet also disclosed that FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with a specific feature enabled are vulnerable. 

FortiManager Cloud 7.6 is not affected by FortiJump. 

What is the impact of this vulnerability? 

This flaw takes advantage of several lax security standards in FortiManager, including an issue where FGFM allows unauthorized and unknown devices to register with no authentication. All that is required is a valid certificate, but attackers can reuse certificates from any FortiGate box.  

Once registered, attackers can execute arbitrary code or commands, potentially escalating to remote code execution (RCE) or taking over the management of FortiGate firewalls. 

This vulnerability poses significant risks because it enables attackers to both enter downstream connections – moving from FortiManager to internal networks – but also move upstream, leveraging a compromised FortiGate firewall to jump upwards to the FortiManager connected to it, as well as any other internal networks connected to that FortiManager instance.   

Is a fix available? 

Fortinet has released patches for some affected versions and suggests migration to a fixed release for others: 

  • FortiManager 7.6.0: Upgrade to 7.6.1 or above
  • FortiManager 7.4.0 through 7.4.4: Upgrade to 7.4.5 or above
  • FortiManager 7.2.0 through 7.2.7: ​​Upgrade to 7.2.8 or above
  • FortiManager 7.0.0 through 7.0.12: Upgrade to 7.0.13 or above
  • FortiManager 6.4.0 through 6.4.14: Upgrade to 6.4.15 or above
  • FortiManager 6.2.0 through 6.2.12: Upgrade to 6.2.13 or above
  • FortiManager Cloud 7.4.1 through 7.4.4: Upgrade to 7.4.5 or above
  • FortiManager Cloud 7.2.1 through 7.2.7: Upgrade to 7.2.8 or above
  • FortiManager Cloud 7.0.1 through 7.0.12: Upgrade to 7.0.13 or above
  • FortiManager Cloud 6.4 all versions: Migrate to a fixed release

Because FortiManager Cloud 7.6 is not affected by FortiJump, no action is required. 

Are there any other actions to take? 

Disabling FGFM using the setting fgfm-deny-unknown will prevent unknown devices from registering with FortiManager. Users can also prevent FGFM from presenting to the internet, although this removes its core functionality. 

Fortinet has also released a list of potential workarounds

Is FortiJump being actively exploited? 

Researchers report that FortiJump is being actively exploited, although no proof-of-concept (PoC) has been released yet.

Are there any potential Indicators of Compromise (IOCs)? 

Fortinet has released a list of potential IOCs, including log entries, IP addresses, serial numbers, and files. However, they note that in the case of the log entries, the entries below may continue being logged even after devices are updated, as the fixes prevent unauthorized devices from sending exploit commands, not from being added in the first place. If a fix has been successfully implemented, these logs instead indicate a failed attempt at compromise. Fortinet also notes that file IoCs may not appear in all cases.

Log entries
  • type=event,subtype=dvm,pri=information,desc=”Device,manager,generic,information,log”,user=”device,…”,msg=”Unregistered device localhost add succeeded” device=”localhost” adom=”FortiManager” session_id=0 operation=”Add device” performed_on=”localhost” changes=”Unregistered device localhost add succeeded”
  • type=event,subtype=dvm,pri=notice,desc=”Device,Manager,dvm,log,at,notice,level”,user=”System”,userfrom=””,msg=”” adom=”root” session_id=0 operation=”Modify device” performed_on=”localhost” changes=”Edited device settings (SN FMG-VMTM23017412)”
IP addresses
  • 45.32.41.202
  • 104.238.141.143
  • 158.247.199.37
  • 45.32.63.2 
  • 195.85.114.78 (as reported by Mandiant)
Serial Number
  • FMG-VMTM23017412
Files
  • /tmp/.tm
  • /var/tmp/.tm

How is CyCognito helping customers identify assets vulnerable to FortiJump? 

CyCognito is actively researching an active detection method for this vulnerability. As of October 28th, users can check if their assets are potentially vulnerable using provided filters and lists in the CyCognito platform. All customers also have access to an in-platform emerging threat announcement. 

Figure 1: The alert sent by CyCognito for these issues.

How can CyCognito help your organization? 

CyCognito is an exposure management platform that reduces risk by discovering, testing, and prioritizing security issues. The platform scans billions of websites, cloud applications, and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. Want to see how it works? Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.


Topics



Search the Blog



Recent Posts








Top Tags



CyCognito Research Report

State of External Exposure Management, Summer 2024 Edition

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.

O'Reilly Report

Moving from Vulnerability Management to Exposure Management

Moving from Vulnerability Management to Exposure Management

Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.

Request a Free Scan

See Exactly What Attackers See

Get a Free Scan of Your Attack Surface

Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.