www.belgium.be Logo of the federal government

Warning: PoC exploit released for FortiNet FortiSIEM

Reference: 
Advisory #2024-079
Version: 
1.0
Affected software: 
Fortinet FortiSIEM
Type: 
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE/CVSS: 
  • CVE-2023-34992: CVSS 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2024-23108: CVSS 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2024-23109: CVSS 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Vendor Advisory: https://www.fortiguard.com/psirt/FG-IR-23-130

Blog post of researcher: https://www.horizon3.ai/attack-research/cve-2024-23108-fortinet-fortisiem-2nd-order-command-injection-deep-dive/

Risks

Security researcher Zach Hanley from Horizon3.ai released a PoC exploit for vulnerability CVE-2024-23108 in Fortinet FortiSIEM. CVE-2024-23108, CVE-2024-23109 are newly discovered variations of CVE-2023-34992 which was disclosed on October 10th 2023 by FortiGuard. All these vulnerabilities allow an attacker to execute unauthorized commands on a FortiSIEM system through API requests. Threat actors actively exploit these vulnerabilities.

The Centre for Cybersecurity Belgium (CCB) recommends system administrators patch vulnerable systems as soon as possible. Analyse system and network logs for any suspicious activity. This report has instructions to help your organisation.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Description

An improper neutralization of special elements used in an OS command in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.

Fortinet has released software patches that address these vulnerabilities.

Recommended Actions

Patch
The Centre for Cyber Security Belgium strongly recommends installing updates for vulnerable software with the highest priority, after thorough testing.
The latest version of the involved product can be found on their website: https://www.fortiguard.com/psirt/FG-IR-23-130

Monitor/Detect
The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future
exploitation, it does not remediate historic compromise.