A proof-of-concept (PoC) exploit has been released for a crucial unauthenticated, tiny code implementation vulnerability in Fortinet FortiSIEM, tracked as CVE-2023-34992. The vulnerability, which has a CVSS score of 10.0, was found by investigators at Horizon3.ai during an audit of Fortinet devices in early 2023. Fortinet FortiSIEM is a complete Security Information and Event Management (SIEM) resolution that supplies a log pack, correlation, automatic reaction, and remediation abilities.
RCE Vulnerability & PoC
A crucial vulnerability was discovered during an audit of Fortinet devices, displaying several problems that culminated in the finding of this important fault. By examining the decompiled Java code, investigators discovered that the doPost technique of LicenseUploadServlet insufficiently sanitizes user input, letting an assailant infiltrate random orders through the “Name” parameter. FortiSIEM’s backend web service is deployed through Glassfish, a Java framework. The vulnerability resides in the LicenseUploadServlet.class within the web service. The doPost technique of this servlet was discovered to be easy to control injection, permitting unauthenticated assaulters to manipulate the system.
The doPost technique of this servlet was discovered to be easy to control injection, permitting unauthenticated assaulters to manipulate the system.
The PoC shows how an assailant can leverage this vulnerability to achieve unauthenticated distant code implementation. By manipulating the LicenseUploadServlet, the assaulter can upload a nasty payload that manages orders in the context of the root user. This access can be utilized to read mysteries from combined systems, allowing further lateral activity within the network. Full PoC can be discovered on GitHub.
Victorious exploitation of CVE-2023-34992 authorizes assaulters to:
- Execute random powers as the root user.
- Read susceptible data and mysteries from combined systems.
- Pivot to other systems within the network, potentially directing to widespread settlement.
Mitigation
Fortinet has repaired this vulnerability in a current update. Any FortiSIEM version from 6.4.0 to 7.1.1 is at risk. Fortinet has published patches for versions 7.0.3, 7.1.3, and 6.7.9, and it is advised to update to these versions or thereafter. Also, patches for versions 7.2.0, 6.6.5, 6.5.3, and 6.4.4 are expected to be released shortly.
Users are extremely recommended to use the latest patches to mitigate the danger. Further, it is advised to heed the best methods for ensuring SIEM deployments, such as limiting access to the administration interface and regularly auditing system setups. Institutions using FortiSIEM should check their records for any unusual movement, particularly in the file /opt/phoenix/logs/phoenix.logs that could potentially hold the contents of notes accepted for the phMonitor service.
Associations utilizing Fortinet FortiSIEM should prioritize modernizing their systems to safeguard against the possible exploitation of this severe vulnerability.