26 March 2024 | Prepared by: Adam Skupien, Vulnerability Security Analyst
Purpose
The purpose of this alert is to bring attention to a CRITICAL, publicly released vulnerability identified as CVE-2023-48788, present in Fortinet’s FortiClient Endpoint Management Server (EMS) solution, running certain versions of FortiClientEMS.
Exploitation of this vulnerability may result in remote code execution by an unauthenticated threat actor to execute unauthorised code or commands via a specifically crafted request.
Fortinet has advised they are aware of instances where this has been exploited and recommends immediate action.
The Triskele Labs Cyber Threat Intelligence (CTI) team advises that Proof-of-Concept (POC) code to exploit this vulnerability is now publicly available on GitHub.
On 22 March 2024, the Australian Cyber Security Centre (ACSC) released an advisory addressing this vulnerability and encouraging organisations to patch affected devices.
Currently, GreyNoise is reporting 2 unique IP addresses attempting to exploit CVE-2023-48788. This vulnerability has been added to the Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue. Fortinet has also reported active exploitation of this vulnerability.
Details
On 22 March 2024, Fortinet issued a notification describing a critical vulnerability known as CVE-2023-48788. Threat Actors have begun exploiting this vulnerability in the wild. The vulnerability is present in the following FortiClientEMS versions and products:
· FortiClientEMS version 7.2 to 7.2.2
· FortiClientEMS version 7.0 to 7.0.10
The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) that can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands.
Mitigation Actions
Triskele Labs recommends that affected versions of FortiClientEMS be upgraded to either 7.2.3 or above or 7.0.11 or above.
The virtual patch named "FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection" available from Fortinet should be applied if upgrading is not feasible.
Detection
Managed Detection and Response (MDR) platforms could monitor an environment for suspicious activity relating to the exploitation of this vulnerability.
However, visibility is lower than that of a standard workstation or server because these assets are appliances and cannot run the Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) agents.
Please ensure that these devices are sending syslog to a SIEM so that malicious indicators can be identified.
To check for indication of compromise, Triskele Labs recommends examining various log files in C:\Program Files (x86)\Fortinet\FortiClientEMS\logs for connections from unrecognised clients or other malicious activity, and examining MS SQL logs for evidence of xp_cmdshell being utilised to obtain command execution.
Triskele Labs DefenceShield customers with Assess service (Vulnerability Scanning) are currently being scanned. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored closely for related Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs).
