Two command injection bugs threaten Fortinet's FortiSIEM

Affect versions from October 2022 to 2024

Two command injection bugs threaten Fortinet's FortiSIEM

Two new maximum-severity vulnerabilities have hit Fortinet's FortiSIEM product.

Tracked under the identifiers CVE-2024-23108 and CVE-2024-23109, these vulnerabilities threaten the security posture of organisations relying on FortiSIEM for cybersecurity.

Classified as command injection flaws, the vulnerabilities exploit the platform's susceptibility to crafted API requests, enabling attackers to execute unauthorised code.

According to the description of the vulnerabilities on the National Vulnerability Database listing, "An improper neutralisation of special elements used in an os command ('os command injection') in Fortinet FortiSIEM...allows [an] attacker to execute unauthorised code or commands via crafted API requests."

The bugs require minimal complexity and no user interaction, raising fears of potential exploitation by threat actors for a myriad of malicious activities, including data breaches, system compromise and disruption of critical operations.

Versions of FortiSIEM from 6.4.0 (released October 2022) through 7.1.1 (released January 2024) have been identified as vulnerable, encompassing a wide range of deployments across various organisations.

Customers are advised to either upgrade to the new version 7.1.2 or await forthcoming patches to address the vulnerabilities effectively.

Interestingly, the official link provided by Fortinet for information on these vulnerabilities redirects to a write-up about a different FortiSIEM vulnerability reported back in October 2023, which received a high CVSS score of 9.7.

The correlation suggests an underlying vulnerability pattern in FortiSIEM, raising questions about its overall security posture and vulnerability management practices.

While we expect Fortinet to provide some clarity in the coming days, the absence of updated advisories adds to the situation's complexity.

Despite the absence of publicly available exploit code, the severity of the vulnerabilities necessitates immediate attention from Fortinet customers.

Bugs patched earlier

In June last year, Fortinet issued software updates to remedy a critical vulnerability detected in its FortiNAC network access control solution.

The flaw, identified as CVE-2023-33299, was assigned a critical severity score of 9.6 out of 10. It was related to the deserialisation of untrusted data and could be exploited by an unauthenticated attacker through specifically crafted requests to the TCP/1050 service.

Fortinet also addressed a medium-severity vulnerability at that time, indexed as CVE-2023-33300, which involved an improper access control issue impacting FortiNAC versions 9.4.0 through 9.4.3 and FortiNAC versions 7.2.0 through 7.2.1.

In the same month, Fortinet acknowledged another critical vulnerability, CVE-2023-27997, with a CVSS score of 9.2, affecting FortiOS and FortiProxy. This vulnerability posed a potential risk in limited attacks targeting sectors such as government, manufacturing, and critical infrastructure.

In response, the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the importance for organisations to promptly apply patches or implement recommended mitigation measures.

Earlier in March, Fortinet released a fix for yet another critical vulnerability impacting FortiOS and FortiProxy.