The flaw is described as “an improper neutralization of special elements” used in a SQL command vulnerability. This means that a single HTTP request with a crafted header value is sufficient to execute arbitrary SQL against the backing PostgreSQL database, according to a deep dive report by pentesting company Bishop Fox. An attacker who can reach the EMS web interface over HTTPS “needs no credentials to exploit this,” it said.
“This gives attackers access to admin credentials, endpoint inventory data, security policies, and certificates for managed endpoints,” the researchers wrote. They pointed out that the endpoint returns database error messages and has no lockout protections, allowing attackers to quickly extract sensitive data.
The Shadowserver Foundation, a nonprofit security watchdog, is currently tracking more than 2,400 FortiClient EMS instances with web interfaces exposed to the internet, the majority of them in the US and Europe. And Shodan, a search engine for internet-connected devices, reported 1,000 publicly-exposed instances of FortiClient EMS.
