Saturday, May 25, 2024

Exploit Released For Critical Fortinet RCE Flaw: Patch Soon!

FortiClientEMS (Enterprise Management Server), the security solution used for scalable and centralized management, was discovered with an SQL injection vulnerability that could allow an unauthenticated threat actor to execute unauthorized code or command on vulnerable servers through specially crafted requests. 

This vulnerability exists due to improper neutralization of special elements used in an SQL command. The vulnerability was assigned with CVE-2023-48788 and the severity was given as 9.8 (Critical). 

However, Fortiguard has acted swiftly upon this vulnerability and has released patches to fix it.

Moreover, this vulnerability was found to be exploited by threat actors in the wild. In addition, a proof-of-concept for this vulnerability has also been released.

Proof Of Concept Analysis – CVE-2023-48788

According to the reports shared with Cyber Security News, this vulnerability exists due to the multiple components on the FortiClient EMS, such as FmcDaemon.exe. FCTDas.exe and one or more endpoint clients.


Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

To provide a brief insight, the FmcDaemon.exe is the main service used for communicating with enrolled clients which listens to port 8013 by default for all incoming connections.

The FCTDas.exe is the Data Access Server that is used for translating requests from various other server components into SQL requests which also interacts with Microsoft SQL Server database.  

Furthermore, the endpoint clients can communicate with the FmcDaemon on the server via port 8013 (tcp).

However, the vulnerable component was discovered by scanning the installation folder for common SQL strings which revealed that FCTDas.exe establishes connections to the local database over tcp/1433 and also listens for incoming connections over localhost port tcp/65432.

FTCDas.exe connections (Source: Horizon3)

Finding the Vulnerability Trigger

After enabling debug logging to gather communications information between the FcmDaemon.exe and an endpoint.

It was also discovered that many of the message-handling functions were making use of a functionality from policyhelper.dll. 

However, the SQL injection was discovered by simply updating the FCTUID in the FcmDaemon message which triggered a simple sleep payload that delayed a 10 second response from the server.

SQL Query in DAS logs (Source: Horizon3)

For escalating this into a Remote code execution, the built-in xp_cmdshell functionality of Microsoft SQL Server was utilized which was enabled via few other SQL statements.

Moreover, Horizon3 researchers have published a proof-of-concept that only triggers the SQL injection vulnerability to confirm its existence.

Xp_cmdshell logs (Source: Horizon3)

For FortiClientEMS, there are several log files under the directory C:\Program Files (x86)\Fortinet\FortiClientEMS\logs that can be used for further analysis of malicious activity.

As an alternative, the MS SQL logs can also be examined for additional evidence of exploitation through xp_cmdshell.

Additionally, the NodeZero threat actor was also found to be using different techniques to gain execution over vulnerable FortiClientEMS servers using this vulnerability.

NodeZero Attack technique (Source: Horizon3)

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles