PoC Exploit Released for Critical Fortinet FortiSIEM Command Injection Vulnerability

A proof-of-concept (PoC) exploit has been released for a critical vulnerability in Fortinet’s FortiSIEM.

The vulnerability, CVE-2024-23108, allows for remote, unauthenticated command execution as root.

This article delves into the details of the vulnerability, its discovery, and its implications for Fortinet users.

In November 2023, while preparing for a call for papers, a cybersecurity researcher attempted to investigate the FortiSIEM patch for CVE-2023-34992.

According to the Fortiguard report, the request was declined despite a request to Fortinet’s Product Security Incident Response Team (PSIRT) to access the most recent versions of their appliances.

Undeterred, the researcher acquired access through alternative means and analyzed the patch.

Discovery of New Vulnerabilities

Fortinet addressed the original issue, FG-IR-23-130, by introducing the wrapShellToken() utility to escape user-controlled inputs.

However, the researcher discovered a second-order command injection vulnerability when specific parameters were sent to datastore.py.

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

This led to the identification of two distinct vulnerabilities, CVE-2024-23108 and CVE-2024-23109, with a CVSS3 score of 10.0. This article focuses on CVE-2024-23108, as both vulnerabilities were patched in the same release.

CVE-2023-34992 Patch and Code Flow Analysis

In the case of CVE-2023-34992, the phMonitor service on tcp/7900 was exploited by sending a handleStorageRequest message with a malicious server_ip value.

The specific command executed was:/usr/bin/python3.9 /opt/phoenix/deployment/jumpbox/datastore.py nfs test ‘<server_ip>’ ‘<mount_point>’ online

Upon inspecting the control flow of datastore.py for this type of request, it was found that the server_ip field is validated by attempting to connect to the IP address.

After validation, control is passed to /opt/phoenix/deployment/jumpbox/datastore/nfs/test.py. Here, a call to __testMount() formats a call to os. system() on line 23, deriving the nfs_string value from the user-controlled mount_point payload value.

By formatting a request to the phMonitor client with a command type of 81 and the following payload, an unauthenticated attacker can achieve remote code execution as root.

The exploitation method for CVE-2024-23108 is strikingly similar to that of CVE-2023-34992, reported six months earlier.

The proof of concept exploit for CVE-2024-23108 has been made available on GitHub, providing cybersecurity professionals with the necessary tools to test their systems and ensure they are not vulnerable.

Indicators of Compromise

To detect potential exploitation of CVE-2024-23108, administrators should inspect the logs for the phMonitor service at /opt/phoenix/logs/phoenix.log.

Attempts to exploit this vulnerability will leave a log message containing a failed command with datastore.py nfs test.

These lines should be scrutinized for any malicious input.

The release of the PoC exploit for CVE-2024-23108 underscores the importance of timely patching and vigilant system log monitoring.

Fortinet users are urged to apply the latest patches and review their logs for any signs of compromise.

As cybersecurity threats continue to evolve, staying informed and proactive is crucial in safeguarding critical systems.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.