CVE-2021-32589: FortiManager & FortiAnalyzer UAF Vulnerability

by ddos ·

On July 19, 2021, Fortinet officially released a risk notice for FortiManager & FortiAnalyzer UAF remote code execution, the vulnerability number is CVE-2021-32589 with the CVSSv3 Score of 7.5. FortiManager and FortiAnalyzer can achieve centralized management and log, complete command control, network traffic, and attack reporting and analysis functions. UAF (User-After-Free) vulnerability exists in the fgfmsd daemon of FortiManager and FortiAnalyzer. Attackers can execute unauthorized code as the root user.
CVE-2021-32589

Vulnerability Detail

There is a UAF (Use-After-Free) vulnerability in the fgfmsd daemon of FortiManager and FortiAnalyzer. A remote, unauthenticated attacker can execute unauthorized code as the root user by sending a specially designed request to the fgfm port of the target device.

FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models:
1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.

Affected version

FortiManager versions 5.6.10 and below.
FortiManager versions 6.0.10 and below.
FortiManager versions 6.2.7 and below.
FortiManager versions 6.4.5 and below.
FortiManager version 7.0.0.
FortiManager versions 5.4.x.

FortiAnalyzer versions 5.6.10 and below.
FortiAnalyzer versions 6.0.10 and below.
FortiAnalyzer versions 6.2.7 and below.
FortiAnalyzer versions 6.4.5 and below.
FortiAnalyzer version 7.0.0.

Solution

In this regard, we recommend that users upgrade FortiManager & FortiAnalyzer to the latest version in time.
Temporary repair suggestions

Disable FortiManager features on the FortiAnalyzer unit using the command below:

config system global
set fmg-status disable <— Disabled by default.
end

Tags: CVE-2021-32589