CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability

CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability


Fortinet warns of a critical SQL Injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code on vulnerable FortiClientEMS software.

Update March 21: The Analysis section has been updated to include confirmation by Fortinet that in-the-wild exploitation of this flaw has been observed.

View Change Log

Background

On March 12, Fortinet published an advisory (FG-IR-24-007) to address a critical flaw in its FortiClient Enterprise Management Server (FortiClientEMS), a solution which enables centralized management of multiple endpoints.

CVE Description CVSSv3 Severity
CVE-2023-48788 Critical SQL Injection Vulnerability (or Improper neutralization of special elements in an SQL command) 9.3 Critical

At the time this blog was published, Fortinet’s advisory assigned a CVSSv3 score of 9.3 to this flaw, while the entry on the National Vulnerability Database (NVD) lists the CVSSv3 score as 9.8 and also links to an advisory that is not currently available. This blog will be updated to reflect the correct CVSSv3 score if the advisory or NVD record are updated.

Analysis

CVE-2023-48788 is a critical SQL injection vulnerability that could allow an unauthenticated, remote attacker to execute commands or arbitrary code through specifically crafted requests. At the time this blog was published, Fortinet’s advisory did not include any messaging about known exploitation of this vulnerability. However, due to prior targeting of Fortinet devices and word of an upcoming proof-of-concept (PoC) exploit for the flaw, in-the-wild exploitation is likely to occur.

Researchers at GreyNoise have published a tag for CVE-2023-48788 on the GreyNoise platform that can be used to monitor for in-the-wild exploitation attempts.

On March 21, Fortinet updated its advisory with a note confirming this vulnerability “is exploited in the wild.” However, no further details were shared outside of this update and we are not aware of any other confirmations of in-the-wild exploitation.

Historical exploitation of Fortinet devices

Fortinet devices have been frequently targeted by attackers with several noteworthy flaws observed since 2019.

Fortinet’s FortiOS and FortiProxy have been popular targets for threat actors, including CVE-2023-27997, a critical heap-based buffer overflow and CVE-2022-40684, a critical authentication bypass vulnerability. Other vulnerabilities in Fortinet devices have attracted the attention of multiple nation-state threat actors and ransomware groups like Conti. Fortinet vulnerabilities have been included as part of the top routinely exploited vulnerability lists in recent years.

Last month, Fortinet released an advisory and patch for CVE-2024-21762, an out-of-bound write vulnerability which had been exploited in the wild as a zero-day. Just days prior to that announcement, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a cybersecurity advisory (CSA) warning of state-sponsored threat actors from the People’s Republic of China (PRC) pre-positioning themselves in United States networks across critical infrastructure using vulnerabilities in Fortinet devices as well as other SSL VPN devices from other vendors. In the CSA, CVE-2022-42475, a heap-based buffer overflow in FortiOS, was specifically mentioned based on observed exploitation of the flaw, highlighting the continued use of vulnerabilities affecting Fortinet devices by a variety of threat actors.

Proof of concept

At the time this blog was published, no public proof-of-concept had been identified for this vulnerability, however, the Horizon3 Attack Team has stated a PoC will be published next week along with indicators of compromise (IoCs). On March 21, the Horizon3 Attack Team released their PoC code along with a detailed write-up about how they reproduced the issue and developed a functional exploit that demonstrates the vulnerability without allowing for remote code execution.

As exploit code has been released and with past abuse of Fortinet flaws by threat actors, including advanced persistent threat (APT) actors and nation-state groups, we highly recommend remediating this vulnerability as soon as possible.

Solution

Fortinet has released patches to address this SQL injection vulnerability as outlined in the table below:

Affected Product Affected Version Fixed Version
FortiClientEMS 7.2 7.2.0 through 7.2.2 7.2.3 or above
FortiClientEMS 7.0 7.0.1 through 7.0.10 7.0.11 or above

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2023-48788 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Change Log

Update March 21: The Analysis section has been updated to include confirmation by Fortinet that in-the-wild exploitation of this flaw has been observed.

Update March 21: The Proof of Concept section has been updated to reflect that exploit code has been released.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.





Source link
lol

Fortinet warns of a critical SQL Injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code on vulnerable FortiClientEMS software. Update March 21: The Analysis section has been updated to include confirmation by Fortinet that in-the-wild exploitation of this flaw has been observed. View Change Log Background On March 12, Fortinet published an…

Leave a Reply

Your email address will not be published. Required fields are marked *