The Fortinet cybersecurity team released a series of updates to its FortiManager and FortiAnalyzer network management solutions in order to address a critical flaw that could allow hackers to gain elevated privileges. These solutions are deployed in thousands of organizations, in the form of physical devices, virtual machines, and cloud deployments.
Organizations use these solutions for the management, deployment and configuration of devices on the network, in addition to allowing the collection and analysis of logs generated for the identification of security threats.
The company’s cybersecurity alert refers to the flaw tracked as CVE-2021-32589, described as a use-after-free vulnerability in the FortiManager and FortiAnalyzer fgdmsd daemon. These flaws occur when a section of memory is misidentified as free space and a program attempts to use it, resulting in the application crashing.
The company mentions that sending a specially crafted request to the FGFM port of the target device would allow unauthenticated remote threat actors to execute code as the root user. It is worth mentioning that this port is disabled by default and can only be enabled on certain hardware models, including 1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F and 3900E.
Versions of FortiManager affected by this flaw include:
- Versions 5.6.10 and earlier
- Versions 6.0.10 and earlier
- Versions 6.2.7 and earlier
- Versions 6.4.5 and earlier
- Version 7.0.0 version 7.0.0
- Versions 5.4.x
On the other hand, the vulnerable versions of FortiAnalyzer are:
- Versions 5.6.10 and earlier
- Versions 6.0.10 and earlier
- Versions 6.2.7 and earlier
- Versions 6.4.5 and earlier
- Version 7.0.0
The vulnerability was reported to the Cybersecurity and Infrastructure Security Agency (CISA), which asks administrators of vulnerable deployments to update as soon as possible to prevent the risk of exploitation.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.