==================================================================== CERT-Renater Note d'Information No. 2021/VULN366 _____________________________________________________________________ DATE : 20/07/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running FortiManager, FortiAnalyzer versions prior to 5.6.11, 6.0.11, 6.2.8, 6.4.6, 7.0.1. ===================================================================== https://fortiguard.com/psirt/FG-IR-21-067 _____________________________________________________________________ FortiManager & FortiAnalyzer - Use after free vulnerability in fgfmsd daemon IR Number : FG-IR-21-067 Date : Jul 19, 2021 Risk : 5/5 CVSSv3 Score : 7.5 Impact : Remote code execution as root CVE ID : CVE-2021-32589 Affected Products: FortiManager: 7.0.0, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.10, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.10, 5.6.1, 5.6.0, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.10, 5.2.1, 5.2.0, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.12, 5.0.11, 5.0.10, 5.0.1, 5.0.0 FortiAnalyzer: 7.0.0, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.10, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.10, 5.6.1, 5.6.0, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.11, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.10 Summary A Use After Free (CWE-416) vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device. Please note that FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models: 1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E. Impact Remote code execution as root Affected Products FortiManager versions 5.6.10 and below. FortiManager versions 6.0.10 and below. FortiManager versions 6.2.7 and below. FortiManager versions 6.4.5 and below. FortiManager version 7.0.0. FortiManager versions 5.4.x. FortiAnalyzer versions 5.6.10 and below. FortiAnalyzer versions 6.0.10 and below. FortiAnalyzer versions 6.2.7 and below. FortiAnalyzer versions 6.4.5 and below. FortiAnalyzer version 7.0.0. Solutions Please upgrade to FortiManager version 5.6.11 or above. Please upgrade to FortiManager version 6.0.11 or above. Please upgrade to FortiManager version 6.2.8 or above. Please upgrade to FortiManager version 6.4.6 or above. Please upgrade to FortiManager version 7.0.1 or above. Please upgrade to FortiAnalyzer version 5.6.11 or above. Please upgrade to FortiAnalyzer version 6.0.11 or above. Please upgrade to FortiAnalyzer version 6.2.8 or above. Please upgrade to FortiAnalyzer version 6.4.6 or above. Please upgrade to FortiAnalyzer version 7.0.1 or above. Workaround: Disable FortiManager features on the FortiAnalyzer unit using the command below: config system global set fmg-status disable <--- Disabled by default. end Acknowledgement Fortinet is pleased to thank Cyrille Chatras of Orange Group for brining this issue to our attention under responsible disclosure. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================