CVE-2024-33504
📋 TL;DR
This vulnerability in FortiManager allows attackers with JSON API access permissions to decrypt sensitive data due to hard-coded cryptographic keys. It affects FortiManager versions 7.6.0-7.6.1, 7.4.0-7.4.5, 7.2.0-7.2.9, and all 7.0 and 6.4 versions. The 'private-data-encryption' setting does not protect against this attack.
💻 Affected Systems
- FortiManager
📦 What is this software?
Fortimanager by Fortinet
Fortimanager by Fortinet
Fortimanager by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Attackers with JSON API access could decrypt sensitive configuration data, credentials, or secrets stored in FortiManager, potentially compromising the entire managed Fortinet infrastructure.
Likely Case
Authorized but malicious users or compromised accounts could extract encrypted secrets from the system, leading to lateral movement or privilege escalation within the network.
If Mitigated
With proper access controls and network segmentation, only authorized administrators could access the JSON API, limiting exposure to trusted personnel.
🎯 Exploit Status
Exploitation requires JSON API access permissions; public proof-of-concept code is available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6.2, 7.4.6, 7.2.10, 7.0.14, 6.4.15
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-094
Restart Required: Yes
Instructions:
1. Backup FortiManager configuration. 2. Download appropriate firmware version from Fortinet Support Portal. 3. Upload firmware to FortiManager via GUI or CLI. 4. Install update and reboot system. 5. Verify version after reboot.
🔧 Temporary Workarounds
Restrict JSON API Access
allLimit JSON API access to only trusted IP addresses and users with minimal necessary permissions.
config system admin
edit <admin_user>
set trusthost1 <trusted_ip> <mask>
end
Disable Unnecessary JSON API Access
allRemove JSON API permissions from users who don't require them for their role.
config system admin
edit <admin_user>
unset accprofile
set accprofile <restricted_profile>
end
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FortiManager from untrusted networks.
- Enforce least privilege access controls and regularly audit JSON API user permissions.
🔍 How to Verify
Check if Vulnerable:
Check FortiManager version via GUI (System > Dashboard) or CLI (get system status). If version falls within affected ranges, system is vulnerable.Check Version:
get system status | grep VersionVerify Fix Applied:
After patching, verify version is 7.6.2, 7.4.6, 7.2.10, 7.0.14, 6.4.15 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual JSON API access patterns
- Multiple failed authentication attempts followed by successful JSON API access
- Access from unexpected IP addresses to JSON API endpoints
Network Indicators:
- Unusual traffic to FortiManager JSON API ports (default 443)
- Traffic patterns suggesting data exfiltration from FortiManager
SIEM Query:
source="fortimanager" AND (event_type="admin_login" OR api_method="*json*") AND (src_ip NOT IN trusted_ips)