CVE-2024-23113: Fortinet FortiOS — Format String RCE

Background

Fortinet FortiOS is the operating system underlying FortiGate firewalls, one of the largest deployments of network security appliances in the enterprise and SMB markets. FortiProxy, FortiPAM (Privileged Access Management), and FortiWeb (web application firewall) share components of the same codebase. The fgfmd daemon (FortiGate to FortiManager Daemon) is a core component that manages communications between FortiGate devices and FortiManager central management servers.

CVE-2024-23113 is a format string vulnerability in the fgfmd daemon, disclosed in February 2024 with a CVSS score of 9.8. Format string vulnerabilities arise when user-controlled input is used directly as the format string in functions like printf(), sprintf(), or syslog(). CISA added CVE-2024-23113 to its KEV catalogue in October 2024 after confirming active exploitation, making it one of several critical Fortinet vulnerabilities that have been exploited in the wild.

Technical Mechanism

Format string vulnerabilities are a class of memory corruption vulnerabilities that occur when attacker-controlled data is used as the format string argument to functions in the printf family. The affected fgfmd daemon uses such a function call unsafely.

When FortiOS receives connection requests to the FGFM protocol (used for Fortinet device management, typically on TCP port 541), the fgfmd daemon processes these requests. In the vulnerable code path, data from the request is passed directly as the format string to a logging or error reporting function:

// Conceptual vulnerable code pattern
void process_fgfm_request(char *attacker_data) {
    // VULNERABLE: attacker_data used as format string
    syslog(LOG_INFO, attacker_data);
    
    // Should be:
    syslog(LOG_INFO, "%s", attacker_data);
}

Format string exploitation techniques:

• %n specifier: Writes the count of bytes printed so far to the address pointed to by the corresponding argument — a write-what-where primitive
• %s specifier: Reads from arbitrary memory addresses as strings — an arbitrary read primitive
• %x / %p specifiers: Leak stack/heap addresses to defeat ASLR

A full exploit chain:

1. Use %x or %p format specifiers to leak addresses from the stack, defeating ASLR
2. Use %n combined with padding specifiers (%Nc) to write calculated values to specific memory addresses
3. Overwrite a function pointer or return address to redirect execution to a shellcode or ROP chain payload

The complexity of format string exploitation has increased with modern mitigations (full RELRO, stack canaries, NX), but Fortinet appliances running custom Linux kernels may have weaker mitigation configurations, and the format string write primitive can bypass many standard protections.

The fgfmd daemon runs with elevated privileges, providing root-level code execution upon successful exploitation.

Real-World Exploitation Evidence

CISA added CVE-2024-23113 to its KEV catalogue in October 2024, confirming exploitation in the wild. The vulnerability follows a pattern of Fortinet FortiOS vulnerabilities that have attracted sophisticated threat actors:

• Nation-state targeting: Advanced persistent threat groups with demonstrated Fortinet exploitation capability (including groups previously linked to Chinese state espionage) were among the first to develop operational exploits.
• Chained exploitation: Evidence of CVE-2024-23113 being used in combination with other Fortinet vulnerabilities to achieve stealthy persistence on FortiGate appliances.
• Configuration persistence: Post-exploitation techniques that survive firmware updates by writing to the configuration partition have been documented in prior Fortinet compromises and are suspected in CVE-2024-23113 campaigns.
• FortiManager targeting: The fgfmd daemon’s role in FortiManager communications means that exploiting it on a FortiGate could potentially provide access to the FortiManager instance managing multiple devices.

Impact Assessment

Exploitation of CVE-2024-23113 on FortiOS provides:

• Root code execution: The fgfmd daemon runs with elevated privileges; exploitation provides root shell access to the FortiOS appliance.
• Network perimeter compromise: FortiGate firewalls are perimeter security devices; root access undermines all security policies enforced by the device.
• FortiManager pivot: If the device is managed by FortiManager, the attacker can leverage the established fgfmd communications channel to attack the management server.
• Persistent access: Sophisticated attackers have demonstrated ability to persist on FortiOS appliances through firmware update cycles.
• Traffic manipulation: Root access allows modification of firewall rules and routing configurations, enabling traffic redirection and inspection.

Affected Versions

Remediation Steps

1. Apply patches: Upgrade to the fixed FortiOS versions listed above via the Fortinet Customer Support portal.

2. Remove fgfmd access from untrusted interfaces (workaround for versions without available patch):

   config system interface
       edit [wan_interface]
           set allowaccess [remove fgfm from list]
       next
   end

   This prevents external access to the FGFM service.

3. Restrict FGFM to management IP only:

   config system global
       set fgd-alert-subscription advisory latest-threat
   end
   config system interface
       edit mgmt
           set allowaccess ping https ssh fgfm
       next
   end

4. Verify appliance integrity: Use Fortinet’s FortiGuard Outbreak Prevention features to check for indicators of compromise consistent with known Fortinet exploitation campaigns.

5. Review FortiManager connectivity: If devices are managed via FortiManager, audit the management server for signs of lateral movement from compromised FortiGate devices.

Detection Guidance

Log sources:

• FortiOS event log: Log & Report > System Events
• fgfmd daemon logs accessible via diagnose debug application fgfmd
• Network monitoring for unusual traffic on TCP port 541 (FGFM)

CLI detection commands:

# Check fgfmd process status and listen ports
diagnose sys process show fgfmd
diagnose debug application fgfmd -1

# Review recent system configuration changes
get system event-filter
execute log filter category 0
execute log display

Indicators of Compromise:

• Unexpected configuration changes not matching change management records
• New or modified administrator accounts
• fgfmd crash/restart events in system logs
• Unusual inbound connections on TCP 541 from non-FortiManager IPs

Suricata signature:

alert tcp $EXTERNAL_NET any -> $HOME_NET 541 (msg:"Fortinet FortiOS CVE-2024-23113 FGFM Format String Probe"; flow:established,to_server; dsize:>512; content:"|00|"; within:4; threshold:type limit, track by_src, count 3, seconds 60; sid:9002311; rev:1;)

Timeline