CVE-2024-26008
📋 TL;DR
This vulnerability allows an unauthenticated attacker to repeatedly reset the fgfm connection via crafted SSL encrypted TCP requests, causing denial of service. Affected systems include FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager with specific vulnerable versions.
💻 Affected Systems
- FortiOS
- FortiProxy
- FortiPAM
- FortiSwitchManager
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortipam by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Sustained denial of service affecting network management and communication between Fortinet devices, potentially disrupting security operations.
Likely Case
Intermittent connection resets causing management instability and potential service disruption.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure.
🎯 Exploit Status
Attack requires ability to send crafted SSL encrypted TCP packets to fgfm service port.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS 7.4.4, 7.2.7; FortiProxy 7.4.4, 7.2.9; FortiPAM 1.2.0; FortiSwitchManager 7.2.4, 7.0.4
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-041
Restart Required: No
Instructions:
1. Log into Fortinet device management interface. 2. Navigate to System > Firmware. 3. Upload and install the patched firmware version. 4. Verify successful upgrade.
🔧 Temporary Workarounds
Restrict fgfm service access
allLimit network access to fgfm service port using firewall rules or network segmentation.
config firewall policy
edit 0
set srcintf <trusted_interface>
set dstintf <management_interface>
set srcaddr <trusted_networks>
set dstaddr <management_ip>
set service FG_TRAFFIC
set action accept
next
edit 1
set srcintf any
set dstintf <management_interface>
set srcaddr all
set dstaddr <management_ip>
set service FG_TRAFFIC
set action deny
end
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach fgfm service ports.
- Monitor for unusual connection reset patterns and implement rate limiting if available.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via CLI: 'get system status' or GUI: System > Dashboard > System Information.Check Version:
get system status | grep VersionVerify Fix Applied:
Confirm firmware version matches patched versions listed in vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Multiple fgfm connection resets from single source
- Unusual TCP reset patterns on fgfm port
Network Indicators:
- High volume of SSL encrypted TCP packets to fgfm port (default 541)
- Connection reset patterns
SIEM Query:
source="fortinet" (fgfm OR "connection reset") AND dest_port=541