Experts released PoC exploit code for RCE in Fortinet SIEM

Researchers released a proof-of-concept (PoC) exploit for remote code execution flaw CVE-2024-23108 in Fortinet SIEM solution.

Security researchers at Horizon3’s Attack Team released a proof-of-concept (PoC) exploit for a remote code execution issue, tracked as CVE-2024-23108, in Fortinet’s SIEM solution. The PoC exploit allows executing commands as root on Internet-facing FortiSIEM appliances.

In February, cybersecurity vendor Fortinet warned of two critical vulnerabilities in FortiSIEM, tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS score 10), which could lead to remote code execution.

“Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.” reads the advisory published by Fortinet.

The affected products are:

  • FortiSIEM version 7.1.0 through 7.1.1
  • FortiSIEM version 7.0.0 through 7.0.2
  • FortiSIEM version 6.7.0 through 6.7.8
  • FortiSIEM version 6.6.0 through 6.6.3
  • FortiSIEM version 6.5.0 through 6.5.2
  • FortiSIEM version 6.4.0 through 6.4.2

The CERT-EU also published an advisory for the above vulnerabilities:

“In February 2024, Fortinet quietly updated a 2023 advisory, joining two critical flows to the list of OS Command vulnerabilities affecting its FortiSIEM product. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to execute commands on the system.” reads the advisory published by CERT-EU. “Updating is recommended as soon as possible.”

This week, Horizon3’s Attack Team also published a technical analysis of the vulnerability.

“While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to datastore.py are sent. There” reads the analysis.

The researchers noticed that the logs for the phMonitor service, located at /opt/phoenix/logs/phoenix.log, provide detailed records of received messages. Any exploitation attempt of CVE-2024-23108 will generate log entries indicating a failed command with “datastore.py nfs test.” These lines should be used as indicators of compromise to detect exploitation attempts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SIEM)