Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet’s security information and event management (SIEM) solution, which was patched in February.
Tracked as CVE-2024-23108, this security flaw is a command injection vulnerability discovered and reported by Horizon3 vulnerability expert Zach Hanley that enables remote command execution as root without requiring authentication.
« Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests, » Fortinet says.
CVE-2024-23108 impacts FortiClient FortiSIEM versions 6.4.0 and higher and was patched by the company on February 8, together with a second RCE vulnerability (CVE-2024-23109) with a 10/10 severity score.
After first denying that the two CVEs were real and claiming they were actually duplicates of a similar flaw (CVE-2023-34992) fixed in October, Fortinet also said the disclosure of the CVEs was « a system-level error » because they were mistakenly generated due to an API issue.
However, the company eventually confirmed they were both CVE-2023-34992 variants with the same description as the original vulnerability.
On Tuesday, over three months after Fortinet released security updates to patch this security flaw, Horizon3’s Attack Team shared a proof-of-concept (PoC) exploit and published a technical deep-dive.
« While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to datastore.py are sent, » Hanley said.
« Attempts to exploit CVE-2024-23108 will leave a log message containing a failed command with datastore.py nfs test. »
The PoC exploit released today by Horizon3 helps execute commands as root on any Internet-exposed and unpatched FortiSIEM appliances.
Horizon3’s Attack Team also released a PoC exploit for a critical flaw in Fortinet’s FortiClient Enterprise Management Server (EMS) software, which is now actively exploited in attacks.
Fortinet vulnerabilities are frequently exploited—often as zero-days—in ransomware and cyber espionage attacks targeting corporate and government networks.
For instance, the company revealed in February that Chinese Volt Typhoon hackers used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger remote access trojan (RAT), a malware strain that was also recently used to backdoor a military network of the Dutch Ministry of Defence.