Fortinet's security appliances hit by remote code execution vulnerability

Cure worse than the disease for anyone with the 'fgfmsd' daemon activated

Security appliance slinger Fortinet has warned of a critical vulnerability in its software that can be exploited to grant unauthenticated attackers full control over a targeted system, providing a particular daemon is enabled.

The flaw, discovered by Orange Group security researcher Cyrille Chatras and sent to Fortinet privately for responsible disclosure, lies in FortiManager and FortiAnalyzer's fgfmsd daemon, which if running and vulnerable can be exploited over the network.

"A Use After Free (CWE-416) vulnerability in [the] FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorised code as root via sending a specifically crafted request to the FGFM port of the targeted device," the vendor warned customers.

Note that the FGFM service is disabled by default in FortiAnalyzer and can only be enabled on 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, and 3900E appliances.

Those with affected FortiManager and FortiAnalyzer installations are advised to upgrade to the most recently released version – 5.6.11, 6.0.11, 6.2.8, 6.4.6, or 7.0.1 or above, depending on which major release of the software you're running – to close the hole.

Should that be impossible, and you're using a FortiAnalyzer box, a workaround is to disable the FortiManager features on the FortiAnalyzer unit manually with the following commands at the management console:

config system global  
set fmg-status disable

"Memory related vulnerabilities are a common problem which can often have severe impact, such as is the case here," application security expert Sean Wright told The Register. "Ensuring appropriate checks are performed to identify these flaws is crucial, for example by using static code scanners which will detect and prevent their presence.

"Alternatively, educating developers about their existence early in the development cycle will ensure code is built securely and without such flaws in the first place. A more drastic approach, which is not always possible, is to move to a language which performs automatic memory management, such as Go or Java."

The vulnerability is the biggest to hit Fortinet products since October last year, when the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) warned that flaws in the FortiOS SSL virtual private network (VPN) had been used to gain access to supposedly private networks in "multiple cases."

More information is available in the FortiGuard Labs security bulletin. Fortinet did not respond to a request for additional comment by the time of publication. ®

Send us news
1 Comment

Ubuntu 21.10: Plan to do yourself an Indri? Here's what's inside... including a bit of GNOME schooling

Plus: Rounded corners make GNOME 40 look like Windows 11

Review Canonical has released Ubuntu 21.10, or "Impish Indri" as this one is known. This is the last major version before next year's long-term support release of Ubuntu 22.04, and serves as a good preview of some of the changes coming for those who stick with LTS releases.

If you prefer to run the latest and greatest, 21.10 is a solid release with a new kernel, a major GNOME update, and some theming changes. As a short-term support release, Ubuntu 21.10 will be supported for nine months, which covers you until July 2022, by which point 22.04 will already be out.

Continue reading

Heart FM's borkfast show – a fine way to start your day

Jamie and Amanda have a new co-presenter to contend with

There can be few things worse than Microsoft Windows elbowing itself into a presenting partnership, as seen in this digital signage for the Heart breakfast show.

For those unfamiliar with the station, Heart is a UK national broadcaster with Global as its parent. It currently consists of a dozen or so regional stations with a number of shows broadcast nationally. Including a perky breakfast show featuring former Live and Kicking presenter Jamie Theakston and Britain's Got Talent judge, Amanda Holden.

Continue reading

Think your phone is snooping on you? Hold my beer, says basic physics

Information wants to be free, and it's making its escape

Opinion Forget the Singularity. That modern myth where AI learns to improve itself in an exponential feedback loop towards evil godhood ain't gonna happen. Spacetime itself sets hard limits on how fast information can be gathered and processed, no matter how clever you are.

What we should expect in its place is the robot panopticon, a relatively dumb system with near-divine powers of perception. That's something the same laws of physics that prevent the Godbot practically guarantee. The latest foreshadowing of mankind's fate? The Ethernet cable.

By itself, last week's story of a researcher picking up and decoding the unintended wireless emissions of an Ethernet cable is mildly interesting. It was the most labby of lab-based demos, with every possible tweak applied to maximise the chances of it working. It's not even as if it's a new discovery. The effect and its security implications have been known since the Second World War, when Bell Labs demonstrated to the US Army that a wired teleprinter encoder called SIGTOT was vulnerable. It could be monitored at a distance and the unencrypted messages extracted by the radio pulses it gave off in operation.

Continue reading

What do you mean you gave the boss THAT version of the report? Oh, ****ing ****balls

Say what you mean

NSFW Who, Me? Ever written that angry email and accidentally hit send instead of delete? Take a trip back to the 1990s equivalent with a slightly NSFW Who, Me?

Our story, from "Matt", flings us back the best part of 30 years to an era when mobile telephones were the preserve of the young, upwardly mobile professionals and fixed lines ruled the roost for more than just your senior relatives.

Back then, Matt was working for a UK-based fixed-line telephone operator. He was dealing with a telephone exchange which served a relatively large town. "I ran a reasonably ordinary, read-only command to interrogate a specific setting," he told us.

Continue reading

Chinese tech minister says he's 'dealt with' 73,000 sites that breached the law

Ongoing crackdown saw apps 1.83 million apps tested, 4,200 told to clean up their act, pop-up ads popped

China's Minister of Industry and Information Technology, Xiao Yaqing, has given a rare interview in which he signalled the nation's crackdown on the internet and predatory companies will continue.

The interview, reported in state-controlled organ Xinhua, reveals that China's recent crackdowns on inappropriate content and companies with monopolistic tendencies have both bitten – hard.

The nation investigated 1.83 million apps to ensure they don't infringe users' rights. Some 4,200 illegal apps found to require "rectification".

Continue reading

Whatever sort of disaster we’re talking about, if your backups are fried, you’re not going to recover

Here’s how zero trust and immutability can save you

Sponsored When you’re putting your enterprise security and data management strategy in place, should you worry more about ransomware or natural disasters?

Yes, of course, it’s a trick question. But while you can’t accurately predict when your facilities are likely to be hit by an earthquake, flood, or plague of locusts you can probably be assured that your systems are going to be constantly bombarded by cyberthreats, which increasingly means malware.

That’s why a zero trust approach to security is a given, as is a focus on how quickly you can recover your data if an attack does hit home, and that means immutable backups and rock solid data management.

Continue reading

Chinese developers rebel against long working hours with crowdsourced tell-all on employers

Despite modern labour laws, 72-hour work weeks are still common

Chinese software developers have crowdsourced a spreadsheet that dishes the dirt on working conditions at hundreds of employers.

Dubbed WorkingTime, the protest aims to offer transparency regarding how many work hours are expected. Many organisations expect 72-hour working weeks - an arrangement dubbed "996" after the 9am to 9pm, six days a week culture in place at many Chinese companies.

The practice has sometimes been promoted by the rich and famous: Alibaba's Jack Ma publicly stated that employees should actually want to work long hours and a job you love enough to spend that much time doing is a "blessing".

Continue reading

US gov claims ransomware 'earned' $590m in the first half of 2021 alone – mostly in Bitcoin

Names and bars crypto exchange SUEX, warns paying ransoms could spell trouble

Ransomware extracted at least $590 million for the miscreants who create and distribute it in the first half of 2021 alone – more than the $416 million tracked in all of 2020, according to the US government’s Financial Crimes Enforcement Network (FinCEN). Total ransomware-related financial activity may have reached $5.2 billion.

The $590 million figure is contained in a Financial Trend Analysis report [PDF] by the agency, and reflects transactions identified in financial institutions' Suspicious Activity Reports (SARs). FinCEN's analysis of visible blockchain activity yielded the $5.2 billion figure.

FinCEN analysed 635 SARs, of which 458 described transactions reported between 1 January 2021 and 30 June 2021 and the remainder reported older transactions later found to be suspicious. In full-year 2020, the agency saw 487 SARs filed.

Continue reading

Oops, they did it again – rogue Soyuz spurt gave ISS an attitude problem

Crew successfully de-orbited on Sunday carrying vital payload: footage for a movie shot in space

The International Space Station has again had to compensate for unexpected thrusting by a Russian spacecraft.

Readers may remember that Russia's Nauka module unexpectedly fired its thrusters upon arrival at the ISS in July 2021.

The space station tilted 45 degrees and required restorative action to resume its intended attitude.

Continue reading

NFTs not annoying enough? Now they come with wallet-emptying malware

Plus rifle-toting robot dogs, but makers insist they're really dumb

In brief Whether or not non-fungible tokens are a flash in the pan or forever, malware operators have been keen to weaponise the technology.

An investigation was triggered after a number of cryptowallets belonging to customers of the largest NFT exchange OpenSea got mysteriously emptied. Researchers at security shop Check Point found a nasty form of NFT was in circulation, one that came with its own malware package.

People were receiving free NFTs from an unknown benefactor, but when they accepted the gift the attackers got access to their wallet information in OpenSea's storage systems. The code generated a pop-up, that if clicked, allowed wallets to be emptied.

Continue reading

Bank manager tricked into handing $35m to scammers using fake 'deep voice' tech

Plus: Microsoft Translator machine learning software now supports over 100 languages

In brief Authorities in the United Arab Emirates have requested the US Department of Justice's help in probing a case involving a bank manager who was swindled into transferring $35m to criminals by someone using a fake AI-generated voice.

The employee received a call to move the company-owned funds by someone purporting to be a director from the business. He also previously saw emails that showed the company was planning to use the money for an acquisition, and had hired a lawyer to coordinate the process. When the sham director instructed him to transfer the money, he did so thinking it was a legitimate request.

But it was all a scam, according to US court documents reported by Forbes. The criminals used "deep voice technology to simulate the voice of the director," it said. Now officials from the UAE have asked the DoJ to hand over details of two US bank accounts, where over $400,000 from the stolen money were deposited.

Continue reading