March 21, 2024 at 11:18AM
Security researchers have released a PoC exploit for a critical SQL injection vulnerability in Fortinet’s FortiClient EMS. Tracked as CVE-2023-48788, it impacts versions 7.0 and 7.2, allowing unauthenticated threat actors to gain RCE with SYSTEM privileges. With Horizon3’s PoC, attackers can modify it to use Microsoft SQL Server xp_cmdshell for code execution. Notably, Fortinet vulnerabilities are often exploited for ransomware and cyber espionage.
From the meeting notes:
– Security researchers have released a proof-of-concept (PoC) exploit for a critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) software, which is actively exploited in attacks.
– Tracked as CVE-2023-48788, this security flaw is an SQL injection in the DB2 Administration Server (DAS) component discovered and reported by the UK’s National Cyber Security Centre (NCSC).
– It impacts FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2), and enables unauthenticated threat actors to gain remote code execution (RCE) with SYSTEM privileges on unpatched servers in low-complexity attacks that don’t require user interaction.
– Fortinet released a security advisory acknowledging the SQL injection vulnerability and later updated the advisory to confirm that the “vulnerability is exploited in the wild.”
– Security researchers with Horizon3’s Attack Team published a technical analysis and shared a proof-of-concept (PoC) exploit for confirming vulnerability without providing remote code execution capabilities. They also detailed how to use the PoC to enable remote code execution by utilizing the Microsoft SQL Server xp_cmdshell procedure.
– Shodan and the Shadowserver threat monitoring service found over 440 and 300 exposed FortiClient Enterprise Management Server (EMS) servers online, respectively, with most of them located in the United States.
– In February, Fortinet patched another critical remote code execution (RCE) bug (CVE-2024-21762) in the FortiOS operating system and FortiProxy secure web proxy. CISA confirmed that the CVE-2024-21762 bug was also being actively exploited and directed federal agencies to secure their FortiOS and FortiProxy devices within seven days.
– Fortinet security vulnerabilities are frequently exploited for unauthorized access to corporate networks for ransomware attacks and cyber espionage campaigns, often using zero-day exploits.