CVE-2024-36508
📋 TL;DR
This path traversal vulnerability in Fortinet FortiManager and FortiAnalyzer allows authenticated admin users with diagnose privileges to delete arbitrary files on the system. It affects specific versions of both products, potentially enabling file system manipulation and system disruption.
💻 Affected Systems
- Fortinet FortiManager
- Fortinet FortiAnalyzer
📦 What is this software?
Fortianalyzer by Fortinet
Fortianalyzer by Fortinet
Fortimanager by Fortinet
Fortimanager by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious admin could delete critical system files, configuration files, or log files, causing system instability, service disruption, or complete system compromise.
Likely Case
Privileged users could accidentally or intentionally delete important files, leading to configuration loss, audit trail destruction, or operational issues.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized administrative actions that can be audited and reversed.
🎯 Exploit Status
Exploitation requires authenticated admin access with diagnose privileges; path traversal techniques are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiManager/FortiAnalyzer 7.4.3 or 7.2.5 and later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-147
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install FortiManager/FortiAnalyzer version 7.4.3 or 7.2.5 from Fortinet support portal. 3. Apply firmware update through web interface or CLI. 4. Reboot device after installation. 5. Verify version update.
🔧 Temporary Workarounds
Restrict Diagnose Privileges
allRemove diagnose privileges from admin accounts that don't require them, limiting potential exploiters.
config system admin
edit <admin_username>
unset accprofile
set accprofile <restricted_profile>
end
Implement CLI Access Controls
allRestrict CLI access to only necessary administrative users and implement session logging.
config system admin
edit <admin_username>
set trusthost1 <trusted_ip>
set trusthost2 <trusted_ip>
end
🧯 If You Can't Patch
- Implement strict access controls and monitor all admin CLI sessions
- Regularly audit file system integrity and maintain comprehensive backups
🔍 How to Verify
Check if Vulnerable:
Check current version via CLI: 'get system status' and verify if version is within affected range (7.4.0-7.4.2 or <7.2.5).Check Version:
get system status | grep VersionVerify Fix Applied:
After patching, run 'get system status' to confirm version is 7.4.3+ or 7.2.5+. Test CLI file operations are properly restricted.📡 Detection & Monitoring
Log Indicators:
- CLI session logs showing file deletion commands
- Admin activity logs with diagnose privilege usage
- File system audit logs showing unexpected file deletions
Network Indicators:
- Unusual CLI session patterns from admin accounts
- Multiple file deletion operations in short timeframes
SIEM Query:
source="fortimanager" OR source="fortianalyzer" AND (event_type="cli_command" AND command="*delete*" OR command="*rm*")