Fortinet Patches Critical Bug in FortiClient EMS
Fortinet has patched a critical SQL injection vulnerability in its endpoint management software which could enable remote code execution (RCE) on targeted servers.
CVE-2023-48788 affects FortiClientEMS 7.2 – versions 7.2.0 to 7.2.2 – and FortiClientEMS 7.0 – versions 7.0.1 to 7.0.10. Discovered by Fortinet and the UK’s National Cyber Security Centre (NCSC), it affects the DB2 Administration Server (DAS) component of the product.
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests,” the advisory noted.
There’s no information on whether it has been exploited in the wild yet, but that could be a realistic possibility given that security vendor Horizon3 has promised to release indicators of compromise (IoCs), a proof-of-concept exploit and a “deep dive” blog next week.
“In the meantime, check DAS service logs for malicious looking queries,” it warned in a brief post on X (formerly Twitter).
The recent #Fortinet #FortiClient Endpoint Management Server (EMS) SQL injection vulnerability, CVE-2023-48788, allows an unauth attacker to obtain RCE as SYSTEM on the server.
IOCs, POC, and deep-dive blog to be released next week. In the meantime, check DAS service logs for… pic.twitter.com/57ps2WiY8R
— Horizon3 Attack Team (@Horizon3Attack) March 13, 2024
It’s been a busy week for Fortinet customers, with the vendor also patching several other vulnerabilities.
These include and out-of-bounds write vulnerability (CVE-2023-42789) and a stack-based buffer overflow (CVE-2023-42790) in the FortiOS and FortiProxy captive portal which could “allow an inside attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests.”
Both of these are rated critical, with a CVSS score of 9.3.
The network security vendor also released updates to fix a high-severity CSV injection bug (CVE-2023-47534) in FortiClientEMS.
“An improper neutralization of formula elements in a CSV File vulnerability [CWE-1236] in FortiClientEMS may allow a remote and unauthenticated attacker to execute arbitrary commands on the admin workstation via creating malicious log entries with crafted requests to the server,” Fortinet explained.
Finally, Fortinet patched another high-severity vulnerability (CVE-2023-36554), this time in its FortiWLM MEA for FortiManager product. The improper access control bug could allow an unauthenticated remote attacker to execute arbitrary code or commands via specifically crafted requests.
“Note that FortiWLM MEA is not installed by default on FortiManager and can be disabled as a workaround,” Fortinet said.