Merge pull request #898 from kscdivd/main

Update case
DIVD-NL · Dec 17, 2024 · 1b94d01 · 1b94d01
2 parents d7e4826 + f50585a
commit 1b94d01
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/_cases/2024/DIVD-2024-00044.md b/_cases/2024/DIVD-2024-00044.md
@@ -45,11 +45,14 @@ timeline:
 ## Summary
 A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. Reports have shown this vulnerability is exploited in the wild.
 
+## Vulnerability detection
+In our fingerprint we check for open 541 ports from the internet that run the Fortimanger software and using default fortinet client-certificates to build up a secure connection to the device. After the connection is established, we trigger a specially function that allow us to check if this FortiManager software version is vulnerabile to  give full shell access without authentication what can result in execution of arbitrary code or Remote code executions (RCE).
+
 ## Recommendations
 Upgrade to a non-vulnerable version according to the FortiGuard advisory FG-IR-24-423. We recommend restricting public access to your instance when you are unable to either patch or apply the workaround provided by Fortinet. We also recommend checking your FortiManager for unrecognised serial numbers and perform forensics on your instance when you do find unrecognised serial numbers. Fortinet provides recovery methods in their FortiGuard advisory. 
 
 ## What we are doing
-DIVD is researching the vulnerability to determine a reliable fingerprint. 
+DIVD is currently working to identify parties that are running a vulnerable version of FortiManager and notify these parties.
 
 {% include timeline.html %}