Fortinet has released updates for its FortiManager and FortiAnalyzer network management solutions to fix a serious vulnerability that could be exploited to execute arbitrary code with the highest privileges.
Both FortiManager and FortiAnalyzer are enterprise-grade network management solutions for environments with up to 100,000 devices. They are available as a physical appliance, as a virtual machine, in the cloud, or hosted by Fortinet.
This type of bug occurs when a section of memory is erroneously marked as free and a program then tries to use it, resulting in a crash.
Organisations can use the products to manage deploy and configure devices on the network as well as to collect and analyse the generated logs to identify and eliminate threats.
Fortinet has published a security advisory for the issue, which is currently tracked as CVE-2021-32589, saying that it is a use-after-free (UAF) vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon. Fortinet says that sending a specially crafted request to the “FGFM” port of a target device “may allow a remote, non-authenticated attacker to execute unauthorized code as root.”
The company highlights that FGFM is disabled by default on FortiAnalyzer and can be turned on only on some hardware models: 1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.
CISA has also published an advisory encouraging users and administrators to review the vulnerability information from Fortinet and apply the updates.