PoC Exploit released for Fortinet Flaw -CVE-2024-23108

PoC Exploit released for Fortinet Flaw -CVE-2024-23108

No Comments

Security researchers at Horizon3’s Attack Team released a proof-of-concept exploit for a remote code execution issue, tracked as CVE-2024-23108, in Fortinet’s SIEM solution. The PoC exploit allows executing commands as root on Internet-facing FortiSIEM appliances.

In February, Fortinet has warned of two critical vulnerabilities in FortiSIEM, tracked as CVE-2024-23108 and CVE-2024-23109, which could lead to remote code execution.

Advertisements

The affected products are:

  • FortiSIEM version 7.1.0 through 7.1.1
  • FortiSIEM version 7.0.0 through 7.0.2
  • FortiSIEM version 6.7.0 through 6.7.8
  • FortiSIEM version 6.6.0 through 6.6.3
  • FortiSIEM version 6.5.0 through 6.5.2
  • FortiSIEM version 6.4.0 through 6.4.2

Horizon3’s Team also published a technical analysis of the vulnerability.

While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to datastore.py are sent.

The researchers noticed that the logs for the phMonitor service, located at /opt/phoenix/logs/phoenix.log, provide detailed records of received messages. Any exploitation attempt of CVE-2024-23108 will generate log entries indicating a failed command with “datastore.py nfs test.” These lines should be used as indicators of compromise to detect exploitation attempts.

Timeline

29 November 2023 – Reported CVE-2024-23108

30 November 2023 – Reported CVE-2024-23109

3 January 2024 – PSIRT reproduces issues

16 January 2024 – Fortinet silently fixes the issues in v7.1.2 build 0160 with no mention of the vulnerabilities, PSIRT releases, or CVEs published

31 January 2024 – Fortinet publicly “discloses” the issues by adding unpublished CVE IDs to the PSIRT released for CVE-2023-34992 6 months prior without adding a changelog entry

7 February 2024 – Fortinet publicly publishes the CVE IDs.

Later in 2024 – Fortinet eventually adds a changelog entry to the PSIRT and adds CVE IDs to the release documents

28 May 2024 – PoC released

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.