Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability

$
0
0

Fortinet warns of a critical SQL Injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code on vulnerable FortiClientEMS software.

Background

On March 12, Fortinet published an advisory (FG-IR-24-007) to address a critical flaw in its FortiClient Enterprise Management Server (FortiClientEMS), a solution which enables centralized management of multiple endpoints.

CVEDescriptionCVSSv3Severity
CVE-2023-48788Critical SQL Injection Vulnerability (or Improper neutralization of special elements in an SQL command)9.3Critical

At the time this blog was published, Fortinet’s advisory assigned a CVSSv3 score of 9.3 to this flaw, while the entry on the National Vulnerability Database (NVD) lists the CVSSv3 score as 9.8 and also links to an advisory that is not currently available. This blog will be updated to reflect the correct CVSSv3 score if the advisory or NVD record are updated.

Analysis

CVE-2023-48788 is a critical SQL injection vulnerability that could allow an unauthenticated, remote attacker to execute commands or arbitrary code through specifically crafted requests. At the time this blog was published, Fortinet’s advisory did not include any messaging about known exploitation of this vulnerability. However, due to prior targeting of Fortinet devices and word of an upcoming proof-of-concept (PoC) exploit for the flaw, in-the-wild exploitation is likely to occur.

Researchers at GreyNoise have published a tag for CVE-2023-48788 on the GreyNoise platform that can be used to monitor for in-the-wild exploitation attempts.

Historical exploitation of Fortinet devices

While no known exploitation of CVE-2023-48788 has been observed as of March 14, Fortinet devices have been frequently targeted by attackers with several noteworthy flaws observed since 2019.

Fortinet’s FortiOS and FortiProxy have been popular targets for threat actors, including CVE-2023-27997, a critical heap-based buffer overflow and CVE-2022-40684, a critical authentication bypass vulnerability. Other vulnerabilities in Fortinet devices have attracted the attention of multiple nation-state threat actors and ransomware groups like Conti. Fortinet vulnerabilities have been included as part of the top routinely exploited vulnerability lists in recent years.

Last month, Fortinet released an advisory and patch for CVE-2024-21762, an out-of-bound write vulnerability which had been exploited in the wild as a zero-day. Just days prior to that announcement, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a cybersecurity advisory (CSA) warning of state-sponsored threat actors from the People’s Republic of China (PRC) pre-positioning themselves in United States networks across critical infrastructure using vulnerabilities in Fortinet devices as well as other SSL VPN devices from other vendors. In the CSA, CVE-2022-42475, a heap-based buffer overflow in FortiOS, was specifically mentioned based on observed exploitation of the flaw, highlighting the continued use of vulnerabilities affecting Fortinet devices by a variety of threat actors.

Proof of concept

At the time this blog was published, no public proof-of-concept had been identified for this vulnerability, however, the Horizon3 Attack Team has stated a PoC will be published next week along with indicators of compromise (IoCs). With an upcoming release of exploit code and past abuse of Fortinet flaws by threat actors, including advanced persistent threat (APT) actors and nation-state groups, we highly recommend remediating this vulnerability as soon as possible.

Solution

Fortinet has released patches to address this SQL injection vulnerability as outlined in the table below:

Affected ProductAffected VersionFixed Version
FortiClientEMS 7.27.2.0 through 7.2.27.2.3 or above
FortiClientEMS 7.07.0.1 through 7.0.107.0.11 or above

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2023-48788 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.


Viewing all articles
Browse latest Browse all 1935

Trending Articles