RCE Vulnerability Fortinet FortiSIEM

A proof-of-concept (PoC) exploit has been released for a critical unauthenticated, remote code execution vulnerability in Fortinet FortiSIEM, tracked as CVE-2023-34992.

The vulnerability, which has a CVSS score of 10.0, was discovered by researchers at Horizon3.ai during an audit of Fortinet appliances in early 2023.

Fortinet FortiSIEM is a comprehensive Security Information and Event Management (SIEM) solution that provides log collection, correlation, automated response, and remediation capabilities.

RCE Vulnerability & PoC

A critical vulnerability was found during an audit of Fortinet appliances, revealing several issues that culminated in the discovery of this significant flaw.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

By analyzing the decompiled Java code, researchers found that the doPost method of LicenseUploadServlet insufficiently sanitizes user input, allowing an attacker to inject arbitrary commands via the “Name” parameter

FortiSIEM’s backend web service is deployed via Glassfish, a Java framework. The vulnerability resides LicenseUploadServlet.class within the web service.

The doPost method of this servlet was found to be susceptible to command injection, allowing unauthenticated attackers to exploit the system.

The PoC demonstrates how an attacker can leverage this vulnerability to gain unauthenticated remote code execution.

By exploiting the LicenseUploadServlet, the attacker can upload a malicious payload that executes commands in the context of the root user.

This access can be used to read secrets from integrated systems, enabling further lateral movement within the network. Full PoC can be found on GitHub.

Successful exploitation of CVE-2023-34992 allows attackers to:

  • Execute arbitrary commands as the root user.
  • Read sensitive information and secrets from integrated systems.
  • Pivot to other systems within the network, potentially leading to widespread compromise.

Mitigation

Fortinet has fixed this vulnerability in a recent update. Any FortiSIEM version from 6.4.0 to 7.1.1 is at risk. Fortinet has issued patches for versions 7.0.3, 7.1.3, and 6.7.9, and it is recommended to upgrade to these versions or later.

Furthermore, patches for versions 7.2.0, 6.6.5, 6.5.3, and 6.4.4 are anticipated to be released soon.

Users are strongly advised to apply the latest patches to mitigate the risk. Additionally, it is recommended to follow best practices for securing SIEM deployments, such as restricting access to the management interface and regularly auditing system configurations.

Organizations utilizing FortiSIEM should review their logs for any unusual activity, especially in the file /opt/phoenix/logs/phoenix.logs that could potentially hold the contents of messages received for the phMonitor service.

Organizations using Fortinet FortiSIEM should prioritize updating their systems to protect against potential exploitation of this severe vulnerability.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.