Introduction
Attackers with access to Fortinet management credentials can potentially execute unauthorized code on core security infrastructure due to a heap-based buffer overflow in the fgfmsd daemon. This vulnerability impacts a wide range of Fortinet products used for centralized management and analytics in enterprise environments, including FortiAnalyzer, FortiManager, FortiOS, and FortiProxy. The exposure is significant for organizations relying on these platforms for security operations and compliance.
Fortinet is a leading global cybersecurity vendor, with hundreds of thousands of enterprise customers and a product portfolio that includes next-generation firewalls, centralized management, analytics, and secure web gateway solutions. Its management and analytics platforms are widely deployed in critical infrastructure, financial services, healthcare, and government networks, making vulnerabilities in these products highly relevant to the broader tech industry.
Technical Information
CVE-2024-50571 is a heap-based buffer overflow in the fgfmsd daemon, responsible for handling FortiGate to FortiManager protocol (FGFM) communications. The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow) and tracked by Fortinet as FG-IR-24-442. The flaw is triggered when an authenticated attacker sends a specially crafted request to the fgfmsd service. Due to improper validation or lack of bounds checking, data can be written beyond the allocated heap buffer, causing memory corruption. This can lead to arbitrary code execution within the context of the fgfmsd process, potentially allowing the attacker to gain control over the affected system.
The attack requires authentication, so only attackers with valid credentials or those able to compromise them can exploit the issue. There are no public code snippets or proof of concept exploits available for this vulnerability. The flaw affects code present in multiple major version branches, indicating it has been present in the codebase for an extended period.
Affected Systems and Versions
CVE-2024-50571 affects the following Fortinet products and versions:
- FortiAnalyzer: 7.6.0 through 7.6.2, 7.4.0 through 7.4.5, 7.2.0 through 7.2.8, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, 6.2.0 through 6.2.13, 6.0.0 through 6.0.12
- FortiManager: 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, 6.2.0 through 6.2.13, 6.0.0 through 6.0.12
- FortiOS: 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4.0 through 6.4.15, 6.2.0 through 6.2.17
- FortiProxy: 7.6.0, 7.4.0 through 7.4.6, 7.2.0 through 7.2.12, 7.0.0 through 7.0.19, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7
- FortiManager Cloud: 7.6.2, 7.4.1 through 7.4.5, 7.2.1 through 7.2.8, 7.0.1 through 7.0.13, 6.4.1 through 6.4.7
- FortiAnalyzer Cloud: 7.4.1 through 7.4.5, 7.2.1 through 7.2.8, 7.0.1 through 7.0.13, 6.4.1 through 6.4.7
The vulnerability is present in both on-premises and cloud deployments where the affected versions are in use.
Vendor Security History
Fortinet has previously addressed vulnerabilities in its management and protocol daemons. Notable examples include:
- CVE-2024-47575: Missing authentication in the fgfmd daemon of FortiManager, which was exploited in the wild.
- CVE-2021-32589: Use-after-free in fgfmsd affecting FortiManager and FortiAnalyzer.
Fortinet's PSIRT generally provides coordinated advisories and patches, but recurring issues in core management components highlight ongoing challenges in secure development for complex infrastructure products.
