Tuesday, February 6, 2024, 12:26 PM
Fortinet's FortiSIEM product is vulnerable to two new maximum-severity security vulnerabilities that allow for remote code execution.Both CVE-2024-23108 and CVE-2024-23109 have been assigned provisional scores of 10 on the CVSS scale, suggesting exploits can be carried out remotely by unauthenticated attackers, are low in complexity, and require no user interaction to pull off.
In registering the CVE identities for the vulnerabilities, Fortinet linked to its own advisory to provide more information, but the link directs users to an older issue that was addressed in early October 2023.
"Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests," the advisory's description of the vulnerability reads.
Taking a glance at older, cached versions of the same advisory, we can see that the list of affected products has been recently updated, adding additional FortiSIEM versions. Despite Fortinet's advisory not being officially updated (yet), it suggests the two new vulnerabilities may be similar in nature to the one fixed in October, affecting newer versions of FortiSIEM.
The Register asked Fortinet for clarity on the matter but did not receive a response.
We also spoke to application security expert Sean Wright, who said the most recent two vulnerabilities in FortiSIEM will likely be classified as the same vulnerability from October (CVE-2023-34992), or at least a variation of it that impacts different or additional versions.
Hopefully Fortinet will provide some clarity on the matter in the coming days, although discerning the differences between vulnerabilities, especially in the early days of disclosure, can often be confusing for security pros sifting through conflicting details as we are here with the yet-to-be-updated advisory.
The National Vulnerability Database listings for CVE-2024-23108 and CVE-2024-23109 indicate both are currently under review, so we'll probably learn more about the issues at a later date.
Although there is no known publicly available exploit code available, Fortinet customers will want to get these vulnerabilities sorted out as soon as possible given their severity.
The following versions are confirmed to be vulnerable:
7.1.0 through 7.1.1
7.0.0 through 7.0.2
6.7.0 through 6.7.8
6.6.0 through 6.6.3
6.5.0 through 6.5.2
6.4.0 through 6.4.2
Customers can upgrade to version 7.1.2 today and have these vulnerabilities plugged, or wait for upcoming versions if for whatever reason upgrading to the very latest version is unfeasible.
Fortinet said it will be releasing new versions for 7.0.x, 6.7.x, 6.6.x, 6.5.x, and 6.4.x soon, without specifying an expected date.