Analysis Summary

A proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) system, which was fixed in February, has been made public by security researchers.

Researchers found and reported a command injection vulnerability that allows remote command execution as root without the need for authentication. This vulnerability is tracked as CVE-2024-23108. A remote, unauthenticated attacker may be able to execute unauthorized commands via crafted API calls if many improper neutralizations of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor are performed.

The company released a patch for CVE-2024-23108, which affects FortiClient FortiSIEM versions 6.4.0 and higher, and a second RCE vulnerability (CVE-2024-23109), all with a 10/10 severity score, on February 8. Fortinet first denied the existence of the two CVEs and said they were just duplicates of a similar bug (CVE-2023-34992) that was patched in October.

Later, the company claimed the publication of the CVEs was a system-level error because they were inadvertently created as a result of an API problem. Nevertheless, Fortinet later acknowledged that they were both CVE-2023-34992 variations that shared the same characteristics as the initial vulnerability. More than three months after Fortinet patched this vulnerability with security updates, cybersecurity researchers published a technical deep-dive and presented a proof-of-concept (PoC) exploit on Tuesday.

Although the wrapShellToken() utility was added in the fixes for the initial PSIRT issue, FG-IR-23-130, to try and escape user-controlled inputs at this layer, there is a second-order command injection that occurs when specific parameters to datastore.py are supplied. When a CVE-2024-23108 attack is carried out, a log report containing a failed command using the datastore.py nfs test will be left.

The researchers' PoC exploit facilitates the execution of commands as root on any FortiSIEM appliance that is exposed to the Internet and has not been patched. Additionally, they published a proof-of-concept exploit for a serious vulnerability in the FortiClient Enterprise Management Server (EMS) program from Fortinet, which is actively used in attacks.

Targeting corporate and government networks, ransomware and cyber espionage operations commonly leverage Fortunet vulnerabilities, which are typically discovered as zero days. For example, the company disclosed in February that Coathanger, a malware strain that was also recently used to backdoor a military network of the Dutch Ministry of Defense, was deployed by Chinese Volt Typhoon threat actors using two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997).

Impact

• Remote Command Execution
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-23108

Affected Vendors

Remediation

• Refer to FortiGuard Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the aforementioned vulnerabilities and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.