Introduction

A critical zero-day vulnerability, “FortiJump Higher,” has been discovered in FortiManager [1], a tool for managing FortiGate devices. This vulnerability, identified by watchTowr, is linked to a previously known flaw, “FortiJump,” and poses significant security risks.

Description

A newly identified zero-day vulnerability, dubbed “FortiJump Higher,” has been discovered in FortiManager [1] [3], a tool for centralized administration of FortiGate devices [3], by the attack surface management provider watchTowr [1]. This privilege escalation vulnerability is linked to a critical missing authentication remote code execution (RCE) flaw associated with the previously identified vulnerability, CVE-2024-47575 [1], also known as “FortiJump.” The original FortiJump flaw, which has a critical CVSS score of 9.8 [3], has been under mass exploitation for over three months [3], affecting more than 50 FortiManager devices across various industries [3].

On November 15 [1], while attempting to reproduce an exploit for FortiJump, watchTowr uncovered FortiJump Higher along with two additional file overwrite vulnerabilities and two denial-of-service (DoS) vulnerabilities that could crash the system. The researchers criticized Fortinet’s patch for the original FortiJump vulnerability [2], asserting that it was incomplete and failed to address the root cause, leaving the actual vulnerability exposed to attackers [3]. They suggested that the company may have mistakenly patched the wrong code in a different library, resulting in FortiJump Higher remaining exploitable even in patched versions [1].

Concerns have been raised regarding the overall integrity of the FortiManager codebase, as the simplicity of these vulnerabilities suggests the possibility of undiscovered flaws. WatchTowr reached out to Fortinet about the new vulnerability but opted to publish their findings before receiving a response [1], citing the urgency of the situation [2]. It is believed that tech-savvy adversaries familiar with the original FortiJump vulnerability are likely aware of FortiJump Higher [2], raising alarms about its potential use in future attacks [2].

In light of these developments, users are advised to remain vigilant [2], as recent modifications to the codebase now require device registration before communication [2], transforming the attack vector into a post-authentication privilege escalation [2], which may make it more detectable. A Fortinet spokesperson confirmed that the findings have been forwarded to the company’s headquarters for further investigation [1].

Conclusion

The discovery of “FortiJump Higher” underscores the critical need for robust security measures and thorough patching processes. Users must remain vigilant and ensure their systems are updated to mitigate potential risks. The situation highlights the importance of proactive vulnerability management and the potential for further undiscovered flaws within the FortiManager codebase. Fortinet’s response and subsequent actions will be crucial in addressing these vulnerabilities and preventing future exploitation.

References

[1] https://www.infosecurity-magazine.com/news/watchtowr-new-vulnerability/
[2] https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/
[3] https://www.itpro.com/security/researchers-claim-fortinets-fortijump-patch-was-incomplete-and-left-users-vulnerable