A proof-of-concept (PoC) exploit has recently surfaced, targeting a critical vulnerability in Fortinet’s FortiSIEM platform, identified as CVE-2024-23108, which allows for remote, unauthenticated command execution as root.
This article explores the origins of the vulnerability, how it was discovered, and its implications for Fortinet users.
In November 2023, while preparing for a call for papers, a cybersecurity researcher attempted to analyze the FortiSIEM patch for CVE-2023-34992. Despite requesting access to the latest versions of Fortinet appliances from Fortinet’s Product Security Incident Response Team (PSIRT), the request was denied. Undeterred, the researcher obtained access through alternative means and proceeded to scrutinize the patch.
Discovery of New Vulnerabilities
Fortinet had addressed the original issue, FG-IR-23-130, by introducing the wrapShellToken() utility to mitigate user-controlled inputs. However, during analysis, the researcher unearthed a second-order command injection vulnerability triggered by specific parameters sent to datastore.py. This discovery led to the identification of two distinct vulnerabilities, CVE-2024-23108 and CVE-2024-23109, both carrying a CVSS3 score of 10.0. This article primarily focuses on CVE-2024-23108, as both vulnerabilities were patched simultaneously.
CVE-2023-34992 Patch and Code Flow Analysis
In the case of CVE-2023-34992, exploitation occurred through the phMonitor service on tcp/7900 by sending a handleStorageRequest message with a malicious server_ip value. Further analysis revealed that the control flow of datastore.py for this request type led to the execution of specific commands, including an os.system() call derived from user-controlled input. This flaw ultimately facilitated remote code execution as root.
Exploitation Method and Availability of PoC
The exploitation method for CVE-2024-23108 mirrors that of CVE-2023-34992, which had been reported six months earlier. A PoC exploit for CVE-2024-23108 has been published on GitHub, providing cybersecurity professionals with tools to assess system vulnerability.
Indicators of Compromise
To detect potential exploitation of CVE-2024-23108, administrators should monitor logs for the phMonitor service at /opt/phoenix/logs/phoenix.log. Suspicious activities, such as failed commands involving datastore.py nfs test, should be thoroughly investigated for signs of malicious input.
Conclusion
The release of the PoC exploit emphasizes the importance of timely patching and proactive system monitoring. Fortinet users are strongly advised to apply the latest patches and review system logs diligently to mitigate risks associated with CVE-2024-23108. As cybersecurity threats evolve, maintaining vigilance and promptly addressing vulnerabilities are paramount to safeguarding critical systems.
Source: cybersecuritynews.com
