Security researchers at Horizon3’s Attack Team released a proof-of-concept (PoC)<\/a> exploit for a remote code execution issue, tracked as CVE-2024-23108<\/a>, in Fortinet’s SIEM solution. The PoC exploit allows executing commands as root on Internet-facing FortiSIEM appliances.<\/p>\n\n\n\n
In February, cybersecurity vendor Fortinet warned<\/a> of two critical vulnerabilities in FortiSIEM, tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS score 10), which could lead to remote code execution.<\/p>\n\n\n\n
\u201cMultiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.\u201d reads the advisory<\/a> published by Fortinet.<\/em><\/p>\n\n\n\n
The affected products are:<\/p>\n\n\n\n
The CERT-EU also published an advisory for the above vulnerabilities:<\/p>\n\n\n\n
\u201cIn February 2024, Fortinet quietly updated a 2023 advisory, joining two critical flows to the list of OS Command vulnerabilities affecting its FortiSIEM product. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to execute commands on the system.\u201d reads the advisory<\/a> published by CERT-EU. \u201cUpdating is recommended as soon as possible.\u201d<\/em>
This week, Horizon3’s Attack Team also published a technical analysis<\/a> of the vulnerability.<\/p>\n\n\n\n
“While the patches for the original PSIRT issue, FG-IR-23-130<\/a>, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken()<\/code> utility, there exists a second order command injection when certain parameters to
datastore.py<\/code> are sent. There”
reads the analysis<\/a>.<\/em><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a>
Pierluigi Paganini<\/strong><\/a>
(<\/strong>SecurityAffairs<\/strong><\/a> \u2013<\/strong> hacking, SIEM)<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"