Warning: PoC exploit released for FortiNet FortiSIEM
- CVE-2023-34992: CVSS 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-23108: CVSS 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-23109: CVSS 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Bronnen
Vendor Advisory: https://www.fortiguard.com/psirt/FG-IR-23-130
Blog post of researcher: https://www.horizon3.ai/attack-research/cve-2024-23108-fortinet-fortisiem-2nd-order-command-injection-deep-dive/
Risico’s
Security researcher Zach Hanley from Horizon3.ai released a PoC exploit for vulnerability CVE-2024-23108 in Fortinet FortiSIEM. CVE-2024-23108, CVE-2024-23109 are newly discovered variations of CVE-2023-34992 which was disclosed on October 10th 2023 by FortiGuard. All these vulnerabilities allow an attacker to execute unauthorized commands on a FortiSIEM system through API requests. Threat actors actively exploit these vulnerabilities.
The Centre for Cybersecurity Belgium (CCB) recommends system administrators patch vulnerable systems as soon as possible. Analyse system and network logs for any suspicious activity. This report has instructions to help your organisation.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
Beschrijving
An improper neutralization of special elements used in an OS command in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.
Fortinet has released software patches that address these vulnerabilities.
Aanbevolen acties
Patch
The Centre for Cyber Security Belgium strongly recommends installing updates for vulnerable software with the highest priority, after thorough testing.
The latest version of the involved product can be found on their website: https://www.fortiguard.com/psirt/FG-IR-23-130
Monitor/Detect
The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future
exploitation, it does not remediate historic compromise.