FortiClientEMS (Enterprise Management Server), the security solution used for scalable and centralized management, was discovered with an SQL injection vulnerability that could allow an unauthenticated threat actor to execute unauthorized code or command on vulnerable servers through specially crafted requests.
This vulnerability exists due to improper neutralization of special elements used in an SQL command. The vulnerability was assigned with CVE-2023-48788 and the severity was given as 9.8 (Critical).
However, Fortiguard has acted swiftly upon this vulnerability and has released patches to fix it.
Moreover, this vulnerability was found to be exploited by threat actors in the wild. In addition, a proof-of-concept for this vulnerability has also been released.
Proof Of Concept Analysis – CVE-2023-48788
According to the reports shared with Cyber Security News, this vulnerability exists due to the multiple components on the FortiClient EMS, such as FmcDaemon.exe. FCTDas.exe and one or more endpoint clients.
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:
- The problem of vulnerability fatigue today
- Difference between CVSS-specific vulnerability vs risk-based vulnerability
- Evaluating vulnerabilities based on the business impact/risk
- Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
To provide a brief insight, the FmcDaemon.exe is the main service used for communicating with enrolled clients which listens to port 8013 by default for all incoming connections.
The FCTDas.exe is the Data Access Server that is used for translating requests from various other server components into SQL requests which also interacts with Microsoft SQL Server database.
Furthermore, the endpoint clients can communicate with the FmcDaemon on the server via port 8013 (tcp).
However, the vulnerable component was discovered by scanning the installation folder for common SQL strings which revealed that FCTDas.exe establishes connections to the local database over tcp/1433 and also listens for incoming connections over localhost port tcp/65432.
Finding the Vulnerability Trigger
After enabling debug logging to gather communications information between the FcmDaemon.exe and an endpoint.
It was also discovered that many of the message-handling functions were making use of a functionality from policyhelper.dll.
However, the SQL injection was discovered by simply updating the FCTUID in the FcmDaemon message which triggered a simple sleep payload that delayed a 10 second response from the server.
.webp)
For escalating this into a Remote code execution, the built-in xp_cmdshell functionality of Microsoft SQL Server was utilized which was enabled via few other SQL statements.
Moreover, Horizon3 researchers have published a proof-of-concept that only triggers the SQL injection vulnerability to confirm its existence.
.webp)
For FortiClientEMS, there are several log files under the directory C:Program Files (x86)FortinetFortiClientEMSlogs that can be used for further analysis of malicious activity.
As an alternative, the MS SQL logs can also be examined for additional evidence of exploitation through xp_cmdshell.
Additionally, the NodeZero threat actor was also found to be using different techniques to gain execution over vulnerable FortiClientEMS servers using this vulnerability.
.webp)
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.