CVE-2021-32589

Summary

A Use After Free (CWE-416) vulnerability in FortiManager version 7.0.0, version 6.4.5 and below, version 6.2.7 and below, version 6.0.10 and below, version 5.6.10 and below, version 5.4.7 and below, version 5.2.10 and below, version 5.0.12 and below and FortiAnalyzer version 7.0.0, version 6.4.5 and below, version 6.2.7 and below, version 6.0.10 and below, version 5.6.10 and below, version 5.4.7 and below, version 5.3.11, version 5.2.10 to 5.2.4 fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiManager7.0.0affected
FortinetFortiManager6.4.0 <= 6.4.5affected
FortinetFortiManager6.2.0 <= 6.2.7affected
FortinetFortiManager6.0.0 <= 6.0.10affected
FortinetFortiManager5.6.0 <= 5.6.10affected
FortinetFortiManager5.4.0 <= 5.4.7affected
FortinetFortiManager5.2.0 <= 5.2.10affected
FortinetFortiManager5.0.0 <= 5.0.12affected
FortinetFortiAnalyzer7.0.0affected
FortinetFortiAnalyzer6.4.0 <= 6.4.5affected
FortinetFortiAnalyzer6.2.0 <= 6.2.7affected
FortinetFortiAnalyzer6.0.0 <= 6.0.10affected
FortinetFortiAnalyzer5.6.0 <= 5.6.10affected
FortinetFortiAnalyzer5.4.0 <= 5.4.7affected
FortinetFortiAnalyzer5.3.11affected
FortinetFortiAnalyzer5.2.4 <= 5.2.10affected

Weaknesses

  • CWE-416: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References