- Unifying Excellence with Strategic Partnerships: Cisco Black Belt Academy and VQ Communications
- Appeal court overturns $1.6bn mainframe software ‘poaching’ ruling against IBM
- Cisco, Red Hat extend networking, AI integrations
- Strengthening our U.S. Public Sector Leadership Team with the Promotion of two Industry Veterans
- IBM and AWS forge global alliance, streamlining access to AI and hybrid cloud solutions
CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability
Fortinet warns of a critical SQL Injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code on vulnerable FortiClientEMS software.
Background
On March 12, Fortinet published an advisory (FG-IR-24-007) to address a critical flaw in its FortiClient Enterprise Management Server (FortiClientEMS), a solution which enables centralized management of multiple endpoints.
| CVE | Description | CVSSv3 | Severity |
|---|---|---|---|
| CVE-2023-48788 | Critical SQL Injection Vulnerability (or Improper neutralization of special elements in an SQL command) | 9.3 | Critical |
At the time this blog was published, Fortinet’s advisory assigned a CVSSv3 score of 9.3 to this flaw, while the entry on the National Vulnerability Database (NVD) lists the CVSSv3 score as 9.8 and also links to an advisory that is not currently available. This blog will be updated to reflect the correct CVSSv3 score if the advisory or NVD record are updated.
Analysis
CVE-2023-48788 is a critical SQL injection vulnerability that could allow an unauthenticated, remote attacker to execute commands or arbitrary code through specifically crafted requests. At the time this blog was published, Fortinet’s advisory did not include any messaging about known exploitation of this vulnerability. However, due to prior targeting of Fortinet devices and word of an upcoming proof-of-concept (PoC) exploit for the flaw, in-the-wild exploitation is likely to occur.
Researchers at GreyNoise have published a tag for CVE-2023-48788 on the GreyNoise platform that can be used to monitor for in-the-wild exploitation attempts.
Historical exploitation of Fortinet devices
While no known exploitation of CVE-2023-48788 has been observed as of March 14, Fortinet devices have been frequently targeted by attackers with several noteworthy flaws observed since 2019.
Fortinet’s FortiOS and FortiProxy have been popular targets for threat actors, including CVE-2023-27997, a critical heap-based buffer overflow and CVE-2022-40684, a critical authentication bypass vulnerability. Other vulnerabilities in Fortinet devices have attracted the attention of multiple nation-state threat actors and ransomware groups like Conti. Fortinet vulnerabilities have been included as part of the top routinely exploited vulnerability lists in recent years.
Last month, Fortinet released an advisory and patch for CVE-2024-21762, an out-of-bound write vulnerability which had been exploited in the wild as a zero-day. Just days prior to that announcement, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a cybersecurity advisory (CSA) warning of state-sponsored threat actors from the People’s Republic of China (PRC) pre-positioning themselves in United States networks across critical infrastructure using vulnerabilities in Fortinet devices as well as other SSL VPN devices from other vendors. In the CSA, CVE-2022-42475, a heap-based buffer overflow in FortiOS, was specifically mentioned based on observed exploitation of the flaw, highlighting the continued use of vulnerabilities affecting Fortinet devices by a variety of threat actors.
Proof of concept
At the time this blog was published, no public proof-of-concept had been identified for this vulnerability, however, the Horizon3 Attack Team has stated a PoC will be published next week along with indicators of compromise (IoCs). With an upcoming release of exploit code and past abuse of Fortinet flaws by threat actors, including advanced persistent threat (APT) actors and nation-state groups, we highly recommend remediating this vulnerability as soon as possible.
The recent #Fortinet #FortiClient Endpoint Management Server (EMS) SQL injection vulnerability, CVE-2023-48788, allows an unauth attacker to obtain RCE as SYSTEM on the server.
IOCs, POC, and deep-dive blog to be released next week. In the meantime, check DAS service logs for… pic.twitter.com/57ps2WiY8R
— Horizon3 Attack Team (@Horizon3Attack) March 13, 2024
Solution
Fortinet has released patches to address this SQL injection vulnerability as outlined in the table below:
| Affected Product | Affected Version | Fixed Version |
|---|---|---|
| FortiClientEMS 7.2 | 7.2.0 through 7.2.2 | 7.2.3 or above |
| FortiClientEMS 7.0 | 7.0.1 through 7.0.10 | 7.0.11 or above |
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2023-48788 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
