07/20/2021 | Press release | Distributed by Public on 07/20/2021 13:45
On July 19, Fortinet published a security advisory documenting and sharing patches and workarounds for a use after free vulnerability (CWE-416) in the FortiManager, and in some edge cases, FortiAnalyzer which if not updated per the patch and mitigations provided by Fortinet, may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the targeted device.
For any customers who have not yet updated their devices, we are urgently reiterating our strong recommendation that customers take immediate action to mitigate this risk which includes upgrading their FortiManager/FortiAnalyzer as per the advisory FG-IR-21-067. As a temporary mitigation before updating, immediate action can be taken by employing a FortiGate in front of the device with IPS definitions 18.100 or later and setting the FortiGate IPS signature FG-VD-50483 to block. Fortinet recommends that this should only be used as a temporary solution while scheduling the upgrade process.
The security of our customers is our first priority. Fortinet has issued a patch and mitigations and we are proactively communicating to customers, strongly urging them to immediately update their FortiManager and FortiAnalyzer products. Additionally, we recommend that customers validate their configuration to ensure that no unauthorized changes had been implemented by a malicious third party. Fortinet is monitoring the situation and is not aware of this being exploited in the wild at this time.
Prior to publishing the advisory Fortinet has been taken steps to - and continues to - notify and collaborate with customers on the recommendation.
This issue was identified during customer penetration testing. We recommend that customers validate their configuration to ensure that no unauthorized changes have been implemented by a malicious third party. Out of an abundance of caution, due to the importance of FortiManager as the central management platform for many organizations, we previously initiated several additional steps in the notification process to provide notice of this issue prior to the public advisory to help customers mitigate the risk, including:
Fortinet also worked in conjunction with CISA and other agencies to ensure this message was communicated as broadly as possible.
As part of this extraordinary notification process (out of band from our monthly Advisory cadence), Fortinet continues to monitor the impact of each notification method to customers to help identify the most efficient method to communicate PSIRT information with our customer base.
Fortinet has seen bursts of upgrades with each notification, and welcome collaboration with CISA to propagate the urgency to upgrade as there are still a large number of devices needing to be upgraded so once again, Fortinet requests that customers take immediate action to upgrade their FortiManager devices.
The security landscape is constantly evolving and maintaining all systems-especially security devices-is essential to stay ahead of cybercriminals. Like most vendors, Fortinet provides customers with support and regular firmware updates via our PSIRT Advisories page.
To be made aware of all PSIRT advisories, please use the following link to learn about our various notification services which help to support and encourage our customers to adopt a more proactive risk management and mitigation process
At Fortinet, we are on a constant journey with our customers to best protect and secure their organizations. We welcome feedback on how we can better work together in this ongoing process. Please contact PSIRT via our Web Submission form if you have any suggestions or feedback.
You can also use this link to learn details about our current Fortinet PSIRT Policy and how to submit a potential vulnerability to the PSIRT team.