PSIRT Blogs

Fortinet Provides Immediate Patch Update and Mitigations for Critical FortiManager and FortiAnalyzer Vulnerability - CVE-2021-32589

By Carl Windsor | July 20, 2021

On July 19, Fortinet published a security advisory documenting and sharing patches and workarounds for a Use-After-Free (UAF) vulnerability (CWE-416) in FortiManager, and in some edge cases, FortiAnalyzer. If not updated using the patch and mitigations provided by Fortinet, this vulnerability may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the targeted device. 

We urgently reiterate our strong recommendation for any customers who have not yet updated their devices that they take immediate action to mitigate this risk. This includes upgrading their FortiManager/FortiAnalyzer, as per the advisory FG-IR-21-067. As a temporary mitigation before updating, immediate action can be taken by employing a FortiGate in front of the device with IPS definitions 18.100 or later and setting the FortiGate IPS signature FG-VD-50483 to block. Fortinet recommends that this should only be used as a temporary solution while scheduling the upgrade process.

The security of our customers is our first priority. Fortinet has issued a patch and mitigations, and we are proactively communicating to customers, strongly urging them to immediately update their FortiManager and FortiAnalyzer products. Additionally, we recommend that customers validate their configuration to ensure that no unauthorized changes have been implemented by a malicious third party. Fortinet is actively monitoring the situation, and we are not aware of this having been exploited in the wild at this time.

Fortinet identified this issue during customer penetration testing. Out of an abundance of caution, and due to the importance of FortiManager as the central management platform for many organizations, we also took several additional steps to notify customers before issuing the public advisory to help them mitigate the risk. These include:

  • Issuing email notification to the primary account owners of all FortiManager devices
  • Issuing a Customer Support Bulletin via https://support.fortinet.com

Fortinet has also worked in conjunction with CISA and other agencies to ensure this message has been communicated as broadly as possible.

Impact of Additional Notification Steps

As part of this extraordinary notification process (out of band from our monthly Advisory cadence), Fortinet continues to monitor the impact of each notification method to customers to help identify the most efficient method for communicating PSIRT information with our customer base.

Fortinet has seen bursts of upgrades with each notification, and we welcome collaboration with CISA to propagate the urgency to upgrade as there are still many devices needing to be upgraded. So, once again, Fortinet requests that customers take immediate action to upgrade their FortiManager devices.

Fortinet PSIRT Team 

The security landscape is constantly evolving, and maintaining all systems—especially security devices—is essential for staying ahead of cybercriminals. Like most vendors, Fortinet provides customers with support and regular firmware updates via our PSIRT Advisories page

To be made aware of all PSIRT advisories, please use the following link to learn about our various notification services, which help to support and encourage our customers to adopt a more proactive risk management and mitigation process

At Fortinet, we are on a constant journey with our customers to best protect and secure their organizations. We welcome feedback on how we can better work together in this ongoing process. Please contact PSIRT via our Web Submission form if you have any suggestions or feedback.

You can also use this link to learn details about our current Fortinet PSIRT Policy and how to submit a potential vulnerability to the PSIRT team. 

 

 

Tags: