Buffer overflow in fgfmd

A stack-based overflow vulnerability [CWE-124] found in FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager could potentially enable a remote attacker to execute arbitrary code or commands by exploiting crafted packets that reach the fgfmd daemon. These conditions lie beyond the attacker’s control.

VersionAffectedSolution
FortiOS 7.47.4.0 through 7.4.3Upgrade to 7.4.4 or above
FortiOS 7.27.2.0 through 7.2.7Upgrade to 7.2.8 or above
FortiOS 7.07.0.0 through 7.0.14Upgrade to 7.0.15 or above
FortiOS 6.46.4 all versionsMigrate to a fixed release
FortiOS 6.26.2 all versionsMigrate to a fixed release
FortiOS 6.06.0 all versionsMigrate to a fixed release
FortiPAM 1.3Not affectedNot Applicable
FortiPAM 1.21.2 all versionsMigrate to a fixed release
FortiPAM 1.11.1 all versionsMigrate to a fixed release
FortiPAM 1.01.0 all versionsMigrate to a fixed release
FortiProxy 7.47.4.0 through 7.4.3Upgrade to 7.4.4 or above
FortiProxy 7.27.2.0 through 7.2.9Upgrade to 7.2.10 or above
FortiProxy 7.07.0.0 through 7.0.16Upgrade to 7.0.17 or above
FortiProxy 2.02.0 all versionsMigrate to a fixed release
FortiProxy 1.21.2 all versionsMigrate to a fixed release
FortiProxy 1.11.1 all versionsMigrate to a fixed release
FortiProxy 1.01.0 all versionsMigrate to a fixed release
FortiSwitchManager 7.27.2.0 through 7.2.3Upgrade to 7.2.4 or above
FortiSwitchManager 7.07.0.1 through 7.0.3Upgrade to 7.0.4 or above

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Workarround :

For each interface, remove the fgfm access, for example change :

config system interface

edit "portX"

set allowaccess ping https ssh **fgfm**

next

end

to :

config system interface

edit "portX"

set allowaccess ping https ssh

next

end

Note that this will prevent FortiGate discovery from FortiManager. Connection will still be possible from FortiGate.

Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won’t prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround.

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

Timeline

2024-06-11: Initial publication
2024-06-12: added fixed version for FortiProxy 7.0.x

Leave a Reply

Your email address will not be published. Required fields are marked *