May 28, 2024 at 12:25PM
Security researchers have released a proof-of-concept (PoC) exploit for a critical vulnerability in Fortinet’s FortiSIEM solution, impacting versions 6.4.0 and higher. Tracked as CVE-2024-23108, the flaw enables remote command execution as root without authentication. This PoC exploit could allow attackers to execute unauthorized commands and must be addressed promptly to mitigate potential risks.
Based on the meeting notes, the key takeaways are:
– Horizon3 vulnerability expert Zach Hanley discovered and reported a maximum-severity vulnerability (tracked as CVE-2024-23108) in Fortinet’s security information and event management (SIEM) solution, impacting FortiSIEM Supervisor versions 6.4.0 and higher.
– This security flaw is a command injection vulnerability (CWE-78) that allows remote unauthenticated attackers to execute unauthorized commands via crafted API requests.
– In addition to CVE-2024-23108, a second remote code execution (RCE) vulnerability (CVE-2024-23109) was also patched by Fortinet on February 8, with a severity score of 10/10.
– Following initial denial and confusion, Fortinet confirmed that both CVEs were variants of a similar flaw (CVE-2023-34992) fixed in October, with the same description as the original vulnerability.
– Horizon3’s Attack Team has shared a proof-of-concept (PoC) exploit for CVE-2024-23108, which allows executing commands as root on unpatched FortiSIEM appliances.
– Additionally, an actively exploited critical flaw in Fortinet’s FortiClient Enterprise Management Server (EMS) software has been disclosed and a PoC exploit has been released.
It is important to note that Fortinet vulnerabilities, including those in FortiOS SSL VPN, are frequently exploited in ransomware and cyber espionage attacks targeting corporate and government networks.