A significant security concern has been identified in FortiOS, specifically within the fgfmd daemon, presenting an externally-controlled format string vulnerability (CWE-134). This flaw could potentially empower a remote, unauthenticated attacker to execute arbitrary code or commands through specially crafted requests. The severity of this vulnerability necessitates immediate attention from users and administrators.
Fortinet has provided version-specific solutions for affected products, emphasizing the urgency of upgrading to secure releases. For instance, FortiOS 7.4 users should upgrade to version 7.4.3 or above. Similar upgrade paths are outlined for FortiPAM, FortiProxy, and FortiSwitchManager across various versions. Importantly, FortiOS 6.x remains unaffected by this vulnerability.
To mitigate risks while upgrading, Fortinet suggests workarounds involving the removal of fgfm access for each interface. This entails modifying the allowaccess settings, though it is acknowledged that this may impact FortiGate discovery from FortiManager. Additionally, local-in policies restricting FGFM connections to specific IPs are recommended as a supplementary mitigation measure, although they do not provide complete immunity.
The discovery and reporting of this vulnerability are credited to Gwendal Guégniaud of Fortinet’s Product Security team, underlining the importance of collaborative efforts in maintaining system integrity.
