Experts released PoC exploit code for RCE in Fortinet SIEM
May 28, 2024
Researchers released a proof-of-concept (PoC) exploit for remote code execution flaw CVE-2024-23108 in Fortinet SIEM solution.
Security researchers at Horizon3’s Attack Team released a proof-of-concept (PoC) exploit for a remote code execution issue, tracked as CVE-2024-23108, in Fortinet’s SIEM solution. The PoC exploit allows executing commands as root on Internet-facing FortiSIEM appliances.
In February, cybersecurity vendor Fortinet warned of two critical vulnerabilities in FortiSIEM, tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS score 10), which could lead to remote code execution.
“Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.” reads the advisory published by Fortinet.
The affected products are:
- FortiSIEM version 7.1.0 through 7.1.1
- FortiSIEM version 7.0.0 through 7.0.2
- FortiSIEM version 6.7.0 through 6.7.8
- FortiSIEM version 6.6.0 through 6.6.3
- FortiSIEM version 6.5.0 through 6.5.2
- FortiSIEM version 6.4.0 through 6.4.2
The CERT-EU also published an advisory for the above vulnerabilities:
“In February 2024, Fortinet quietly updated a 2023 advisory, joining two critical flows to the list of OS Command vulnerabilities affecting its FortiSIEM product. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to execute commands on the system.” reads the advisory published by CERT-EU. “Updating is recommended as soon as possible.”
This week, Horizon3’s Attack Team also published a technical analysis of the vulnerability.
“While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to datastore.py are sent. There” reads the analysis.
The researchers noticed that the logs for the phMonitor service, located at /opt/phoenix/logs/phoenix.log, provide detailed records of received messages. Any exploitation attempt of CVE-2024-23108 will generate log entries indicating a failed command with “datastore.py nfs test.” These lines should be used as indicators of compromise to detect exploitation attempts.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, SIEM)