{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-036.pdf"
    },
    "title": "High Severity Vulnerability in FortiManager and FortiAnalyzer",
    "serial_number": "2021-036",
    "publish_date": "22-07-2021 14:14:00",
    "description": "On 19th of July 2021, Fortinet released information about a vulnerability (CVE-2021-32589) in FortiManager and FortiAnalyzer that could be exploited remotely by non-authenticated attackers to execute unauthorized / malicious code as \"root\". The severity of this vulnerability is high, with CVSSv3 Score 7.5.",
    "url_title": "2021-036",
    "content_markdown": "---\ntitle: 'High Severity Vulnerability in\u00a0FortiManager and FortiAnalyzer'\nversion: '1.0'\nnumber: '2021-036'\ndate: 'July 22, 2021'\n---\n\n_History:_\n\n* _22/07/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 19th of July 2021, Fortinet released information about a vulnerability (CVE-2021-32589) in FortiManager and FortiAnalyzer that could be exploited remotely by non-authenticated attackers to execute unauthorized / malicious code as `root` [1]. The severity of this vulnerability is **high**, with CVSSv3 Score\t7.5 [2].\n\n# Technical Details\n\nThe flaw resides in `fgfmsd` daemon. If it is running and vulnerable, it can be exploited over the network. A use-after-free (CWE-416) vulnerability in the `fgfmsd` daemon may allow a remote, non-authenticated attacker to execute unauthorised code as root via sending a specifically crafted request to the FGFM port of the targeted device [3].\n\n# Products Affected\n\nThe following FortiManager versions are affected according to Fortinet [1]:\n\n- FortiManager versions 5.6.10 and below.\n- FortiManager versions 6.0.10 and below.\n- FortiManager versions 6.2.7 and below.\n- FortiManager versions 6.4.5 and below.\n- FortiManager version 7.0.0.\n- FortiManager versions 5.4.x.\n\nThe following FortiAnalyzer versions are affected according to Fortinet [1]:\n\n- FortiAnalyzer versions 5.6.10 and below.\n- FortiAnalyzer versions 6.0.10 and below.\n- FortiAnalyzer versions 6.2.7 and below.\n- FortiAnalyzer versions 6.4.5 and below.\n- FortiAnalyzer version 7.0.0.\n\n# Recommendations\n\nPlease upgrade to the versions mentioned in [1].\n\nCERT-EU recommends updating the vulnerable application as soon as possible.\n\n## Workarounds and Mitigations\n\nDisable FortiManager features on the FortiAnalyzer unit using the command below:\n\n```\nconfig system global\nset fmg-status disable <--- Disabled by default.\nend\n```\n\nFortinet mentions also the possibility of protection with FortiGate: Upgrade to IPS definitions version 18.100 or above, and make sure the action for signature FG-VD-50483 is set to block.\n\n# References\n\n[1] <https://www.fortiguard.com/psirt/FG-IR-21-067>\n\n[2] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32589>\n\n[3] <https://www.theregister.com/2021/07/20/fortinet_rce/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>22/07/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 19th of July 2021, Fortinet released information about a vulnerability (CVE-2021-32589) in FortiManager and FortiAnalyzer that could be exploited remotely by non-authenticated attackers to execute unauthorized / malicious code as <code>root</code> [1]. The severity of this vulnerability is <strong>high</strong>, with CVSSv3 Score 7.5 [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The flaw resides in <code>fgfmsd</code> daemon. If it is running and vulnerable, it can be exploited over the network. A use-after-free (CWE-416) vulnerability in the <code>fgfmsd</code> daemon may allow a remote, non-authenticated attacker to execute unauthorised code as root via sending a specifically crafted request to the FGFM port of the targeted device [3].</p><h2 id=\"products-affected\">Products Affected</h2><p>The following FortiManager versions are affected according to Fortinet [1]:</p><ul><li>FortiManager versions 5.6.10 and below.</li><li>FortiManager versions 6.0.10 and below.</li><li>FortiManager versions 6.2.7 and below.</li><li>FortiManager versions 6.4.5 and below.</li><li>FortiManager version 7.0.0.</li><li>FortiManager versions 5.4.x.</li></ul><p>The following FortiAnalyzer versions are affected according to Fortinet [1]:</p><ul><li>FortiAnalyzer versions 5.6.10 and below.</li><li>FortiAnalyzer versions 6.0.10 and below.</li><li>FortiAnalyzer versions 6.2.7 and below.</li><li>FortiAnalyzer versions 6.4.5 and below.</li><li>FortiAnalyzer version 7.0.0.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Please upgrade to the versions mentioned in [1].</p><p>CERT-EU recommends updating the vulnerable application as soon as possible.</p><h3 id=\"workarounds-and-mitigations\">Workarounds and Mitigations</h3><p>Disable FortiManager features on the FortiAnalyzer unit using the command below:</p><pre><code>config system global\nset fmg-status disable &lt;--- Disabled by default.\nend\n</code></pre><p>Fortinet mentions also the possibility of protection with FortiGate: Upgrade to IPS definitions version 18.100 or above, and make sure the action for signature FG-VD-50483 is set to block.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-21-067\">https://www.fortiguard.com/psirt/FG-IR-21-067</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32589\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32589</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.theregister.com/2021/07/20/fortinet_rce/\">https://www.theregister.com/2021/07/20/fortinet_rce/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}