Buffer overflow in fgfmd
A stack-based overflow vulnerability [CWE-124] found in FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager could potentially enable a remote attacker to execute arbitrary code or commands by exploiting crafted packets that reach the fgfmd daemon. These conditions lie beyond the attacker’s control.
Version | Affected | Solution |
---|---|---|
FortiOS 7.4 | 7.4.0 through 7.4.3 | Upgrade to 7.4.4 or above |
FortiOS 7.2 | 7.2.0 through 7.2.7 | Upgrade to 7.2.8 or above |
FortiOS 7.0 | 7.0.0 through 7.0.14 | Upgrade to 7.0.15 or above |
FortiOS 6.4 | 6.4 all versions | Migrate to a fixed release |
FortiOS 6.2 | 6.2 all versions | Migrate to a fixed release |
FortiOS 6.0 | 6.0 all versions | Migrate to a fixed release |
FortiPAM 1.3 | Not affected | Not Applicable |
FortiPAM 1.2 | 1.2 all versions | Migrate to a fixed release |
FortiPAM 1.1 | 1.1 all versions | Migrate to a fixed release |
FortiPAM 1.0 | 1.0 all versions | Migrate to a fixed release |
FortiProxy 7.4 | 7.4.0 through 7.4.3 | Upgrade to 7.4.4 or above |
FortiProxy 7.2 | 7.2.0 through 7.2.9 | Upgrade to 7.2.10 or above |
FortiProxy 7.0 | 7.0.0 through 7.0.16 | Upgrade to 7.0.17 or above |
FortiProxy 2.0 | 2.0 all versions | Migrate to a fixed release |
FortiProxy 1.2 | 1.2 all versions | Migrate to a fixed release |
FortiProxy 1.1 | 1.1 all versions | Migrate to a fixed release |
FortiProxy 1.0 | 1.0 all versions | Migrate to a fixed release |
FortiSwitchManager 7.2 | 7.2.0 through 7.2.3 | Upgrade to 7.2.4 or above |
FortiSwitchManager 7.0 | 7.0.1 through 7.0.3 | Upgrade to 7.0.4 or above |
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Workarround :
For each interface, remove the fgfm access, for example change :
config system interface
edit "portX"
set allowaccess ping https ssh **fgfm**
next
end
to :
config system interface
edit "portX"
set allowaccess ping https ssh
next
end
Note that this will prevent FortiGate discovery from FortiManager. Connection will still be possible from FortiGate.
Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won’t prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround.
Acknowledgement
Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.
Timeline
2024-06-11: Initial publication
2024-06-12: added fixed version for FortiProxy 7.0.x