{"id":20422,"date":"2024-03-14T22:59:09","date_gmt":"2024-03-14T22:59:09","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=20422"},"modified":"2024-03-14T22:59:09","modified_gmt":"2024-03-14T22:59:09","slug":"fortinet-sql-rce-vulnerability","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/fortinet-sql-rce-vulnerability\/","title":{"rendered":"Fortinet RCE Vulnerability Affects FortiClient EMS Servers"},"content":{"rendered":"<p>Fortinet disclosed a critical vulnerability <strong>affecting FortiClient EMS products<\/strong> in March 2024. This vulnerability, categorized as an SQL injection, poses a significant cybersecurity threat. Above all, it has the potential to allow remote attackers to execute arbitrary commands on administrative workstations.<\/p>\n<h2>Fortinet SQLi Vulnerability Causes Remote Code Execution<\/h2>\n<p>As I mentioned, the vulnerability is <a href=\"https:\/\/gridinsoft.com\/sql-injection\">classified as SQL injection<\/a>, which stems from improper neutralization of special elements used in SQL commands. However, successful exploitation can lead to the execution of the code, <strong>embedded into a specially crafted packet<\/strong>. Such a combination of two grants this flaw a CVSS rating of 9.8.<\/p>\n<figure id=\"attachment_19563\" aria-describedby=\"caption-attachment-19563\" style=\"width: 790px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/rce_vulnerability.png\" alt=\"RCE flaws\" width=\"790\" height=\"364\" class=\"size-full wp-image-19563\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/rce_vulnerability.png 790w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/rce_vulnerability-300x138.png 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/02\/rce_vulnerability-768x354.png 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><figcaption id=\"caption-attachment-19563\" class=\"wp-caption-text\">General chain of RCE exploitation<\/figcaption><\/figure>\n<p>The discovery was made jointly by Fortinet and the UK&#8217;s National Cyber Security Center (NCSC). Fortunately, there is currently no information on whether the vulnerability exploited in the wild. But given <strong>the researcher\u2019s promise to release indicators of compromise (IoCs), a proof of concept (POC)<\/strong>, and a detailed blog next week, the possibility is rather high.<\/p>\n<h2>CVE-2023-48788 Vulnerability Overview<\/h2>\n<p>The vulnerability, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-48788\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">identified as CVE-2023-48788<\/a>, is considered severe, with urgent <strong>patches been released<\/strong>. Versions affected by the vulnerability include FortiClientEMS 7.2 (versions 7.2.0 through 7.2.2) and FortiClientEMS 7.0 (versions 7.0.1 through 7.0.10).<\/p>\n<p>An attacker can exploit a SQL injection vulnerability (CWE-89) in FortiClientEMS to execute commands via <strong>maliciously crafted HTTP requests<\/strong> on a server with SYSTEM privileges. This jeopardizes the integrity of the system and could result in complete control of the vulnerable server. Also of particular concern is the fact that <strong>no authentication is required to exploit<\/strong> the vulnerability. It definitely adds to its severity rating.<\/p>\n<p><a href=\"https:\/\/gridinsoft.com\/blogs\/new-fortinet-vpn-rce-flaw\/\">Recall that in February<\/a>, Fortinet disclosed a critical <strong>remote code execution (RCE) bug<\/strong> (CVE-2024-21762) in the FortiOS operating system and FortiProxy secure web proxy. The company also noted it as &#8220;potentially being exploited in the wild&#8221;.<\/p>\n<h2>Fortinet Releases Immediate Patch<\/h2>\n<p>Fortinet recommends that all users <a href=\"https:\/\/fortiguard.fortinet.com\/psirt\/FG-IR-24-007\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">immediately upgrade their systems<\/a> to the latest versions to address the vulnerability. Furthermore, you should <strong>regularly check the DAS logs<\/strong> for suspicious requests that may indicate an attempt to exploit the vulnerability.<\/p>\n<div class=\"su-table su-table-alternate\">\n<table>\n<tr style=\"text-align:center\">\n<td><strong>Version<\/strong><\/td>\n<td><strong>Affected<\/strong><\/td>\n<td><strong>Solution<\/strong><\/td>\n<\/tr>\n<tr>\n<td>FortiOS 7.2<\/td>\n<td>7.2.0 through 7.2.2<\/td>\n<td>Upgrade to 7.2.3 or above<\/td>\n<\/tr>\n<tr>\n<td>FortiOS 7.4<\/td>\n<td>7.0.1 through 7.0.10<\/td>\n<td>Upgrade to 7.0.11 or above<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>The developers also <strong>patched several other vulnerabilities<\/strong> this week. These including a critical write outside array (CVE-2023-42789) and buffer-based stack overflow (CVE-2023-42790) vulnerability in the FortiOS Capture Portal and FortiProxy. Also it could &#8220;allow an insider attacker with access to the Capture Portal to execute random code or commands via specially crafted HTTP requests&#8221;.<\/p>\n<p style=\"padding-top:15px;padding-bottom:15px;\"><a href=\"\/download\/antimalware\" rel=\"nofollow\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"\/blogs\/wp-content\/uploads\/2022\/07\/env02.webp\" alt=\"Fortinet RCE Vulnerability Affects FortiClient EMS Servers\" width=\"798\" height=\"336\" class=\"aligncenter size-full\" title=\"\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fortinet disclosed a critical vulnerability affecting FortiClient EMS products in March 2024. This vulnerability, categorized as an SQL injection, poses a significant cybersecurity threat. Above all, it has the potential to allow remote attackers to execute arbitrary commands on administrative workstations. Fortinet SQLi Vulnerability Causes Remote Code Execution As I mentioned, the vulnerability is classified [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":20446,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[619,1060,374],"class_list":{"0":"post-20422","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-cybersecurity","9":"tag-fortinet","10":"tag-vulnerability"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/03\/GS_Blog_banner_Fortinet-RCE-Vulnerability-Affects-Sensitive-Servers_1280x674.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/20422","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=20422"}],"version-history":[{"count":15,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/20422\/revisions"}],"predecessor-version":[{"id":20449,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/20422\/revisions\/20449"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/20446"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=20422"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=20422"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=20422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}