Horizon3.ai researches have released proof-of-concept (PoC) exploits for CVE-2024-23108 and CVE-2023-34992, vulnerabilities that allow remote, unauthenticated command execution as root on certain Fortinet FortiSIEM appliances.
CVE confusion
FortiSIEM helps customers build an inventory of their organization’s assets, it aggregates logs and correlates information for threat detection and hunting, and allows automated response and remediation.
CVE-2024-23108 and CVE-2024-23109 are OS command injection vulnerabilities in the FortiSIEM supervisor and can be exploited remotely, without authentication, with specially crafted API requests.
Both flagged by Zach Hanley of Horizon3.ai, they are variants/patch bypasses of CVE-2023-34992, which Fortinet fixed in October 2023.
The two variants were fixed in January 2024, and admins were advised to upgrade.
(Fortinet created some confusion regarding CVE-2024-23108 and CVE-2024-23109 because it initially stated that the two CVEs were assigned erroneously, then later said that they were variants of CVE-2023-34992. An email Hanley received from Fortinet PSIRT confirmed the assigned CVEs.)
PoC exploits and indicators of compromise
PoCs for CVE-2024-23108 and CVE-2023-34992 have been published by Hanley on GitHub.
Hanley has noted that “there is very little difference in the exploitation of the previous command injection, CVE-2023-34992, to this one, CVE-2024-23108, reported 6 months later”, and said that attempts to exploit them will leave evidence in the logs for the phMonitor service. For example, attempts to exploit CVE-2024-23108 will leave a log message containing a failed command with datastore.py nfs test.
Admins should check their FortiSIEM installations and (if they haven’t already) upgrade to a version containing the fix.
Vulnerabilities in Fortinet solutions are often leveraged by attackers in the wild, but there is no mention yet of these ones being exploited.