Security researchers at Horizon3’s Attack Team released a exploit for a remote code execution issue, tracked as , in Fortinet’s SIEM solution. The PoC exploit allows executing commands as root on Internet-facing FortiSIEM appliances.
In February, cybersecurity vendor Fortinet warned of two critical vulnerabilities in FortiSIEM, tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS score 10), which could lead to remote code execution.
“Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.” reads the published by Fortinet.
The affected products are:
The CERT-EU also published an advisory for the above vulnerabilities:
“In February 2024, Fortinet quietly updated a 2023 advisory, joining two critical flows to the list of OS Command vulnerabilities affecting its FortiSIEM product. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to execute commands on the system.” reads the advisory published by CERT-EU. “Updating is recommended as soon as possible.”
This week, Horizon3’s Attack Team also published a technical analysis of the vulnerability.
“While the patches for the original PSIRT issue, , attempted to escape user-controlled inputs at this layer by adding the wrapShellToken()
utility, there exists a second order command injection when certain parameters to datastore.py
are sent. There” reads the analysis.
The researchers noticed that the logs for the phMonitor service, located at /opt/phoenix/logs/phoenix.log, provide detailed records of received messages. Any exploitation attempt of CVE-2024-23108 will generate log entries indicating a failed command with “datastore.py nfs test.” These lines should be used as indicators of compromise to detect exploitation attempts.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, SIEM)