Presently there is a vulnerability in Fortinet’s FortiManager (FMG) CVE-2024-47575 that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. To help keep your systems resistant to these known vulnerabilities, you must promptly patch them or apply appropriate workarounds to protect them.
To address this vulnerability, you need to apply firmware version 7.4.5. However, if you are running your FMG in FIPS mode there’s a bug in the firmware that will prevent you from applying it. This is a known issue with bug id 1084618 and mentioned in the release notes of 7.4.5.
There is a workaround available to temporarily safeguard your FortiManaer instance from this vulnerability:
First, connect to your FMG, and then run the following commands:
# config system global (global)# set fgfm-deny-unknown enable (global)# end
Important Notes:
- This fix will prevent unauthorized devices from connecting to the FMG.
- This will also impact legitimate device additions to FMG. To add a legitimate device, you’ll need to disable the workaround, add the device, and the re-enable the workaround, or
- Manually add devices to the FMG and provision that way.
The bug fix to upgrade the firmware is presently slated to be available in version 7.4.6 set for a tentative release on December 15, 2024
