fbpx

Exploit released for maximum severity Fortinet RCE bug, patch now

by Wire Tech

​Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) solution, which was patched in February.

Tracked as CVE-2024-23108, this security flaw is a command injection vulnerability discovered and reported by Horizon3 vulnerability expert Zach Hanley that enables remote command execution as root without requiring authentication.

"Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests," Fortinet says.

CVE-2024-23108 impacts FortiClient FortiSIEM versions 6.4.0 and higher and was patched by the company on February 8, together with a second RCE vulnerability (CVE-2024-23109) with a 10/10 severity score.

After first denying that the two CVEs were real and claiming they were actually duplicates of a similar flaw (CVE-2023-34992) fixed in October, Fortinet also said the disclosure of the CVEs was “a system-level error” because they were mistakenly generated due to an API issue.

However, the company eventually confirmed they were both CVE-2023-34992 variants with the same description as the original vulnerability.

On Tuesday, over three months after Fortinet released security updates to patch this security flaw, Horizon3's Attack Team shared a proof-of-concept (PoC) exploit and published a technical deep-dive.

"While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to datastore.py are sent," Hanley said.

"Attempts to exploit CVE-2024-23108 will leave a log message containing a failed command with datastore.py nfs test."

The PoC exploit released today by Horizon3 helps execute commands as root on any Internet-exposed and unpatched FortiSIEM appliances.

Horizon3's Attack Team also released a PoC exploit for a critical flaw in Fortinet’s FortiClient Enterprise Management Server (EMS) software, which is now actively exploited in attacks.

Fortinet vulnerabilities are frequently exploited—often as zero-days—in ransomware and cyber espionage attacks targeting corporate and government networks.

For instance, the company revealed in February that Chinese Volt Typhoon hackers used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger remote access trojan (RAT), a malware strain that was also recently used to backdoor a military network of the Dutch Ministry of Defence.

Related Articles:

QNAP QTS zero-day in Share feature gets public RCE exploit

Maximum severity Flowmon bug has a public exploit, patch now

Critical Fluent Bit flaw impacts all major cloud providers

PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers

Widely used modems in industrial IoT devices open to SMS attack

________________________________________________________________________________________________________________________________
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________

You may also like

Leave a Comment

Unlock the Power of Technology with Tech-Wire: The Ultimate Resource for Computing, Cybersecurity, and Mobile Technology Insights

Copyright @2023 All Right Reserved