FG-IR-24-029: FortiOS - Format String Bug in fgfmdA use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests.
Solution reference Link: https://www.fortiguard.com/psirt/FG-IR-24-029
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
This one need to patch ASAP if your firewall is Internet facing and also running on 7.x
Workarounds:
For each interface, remove the fgfm access,
for example change :
config system interface
edit "portX"
set allowaccess ping https ssh fgfm
next
end
to :
config system interface
edit "portX"
set allowaccess ping https ssh
next
end
Note that this will prevent FortiGate discovery from FortiManager. Connections from the FortiGate will still work.
Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround.
Reference:
No comments:
Post a Comment