Sunday, November 10, 2024
HomeCVE/vulnerabilityExploit Released For Critical Fortinet RCE Flaw: Patch Soon!

Exploit Released For Critical Fortinet RCE Flaw: Patch Soon!

Published on

Malware protection

FortiClientEMS (Enterprise Management Server), the security solution used for scalable and centralized management, was discovered with an SQL injection vulnerability that could allow an unauthenticated threat actor to execute unauthorized code or command on vulnerable servers through specially crafted requests. 

This vulnerability exists due to improper neutralization of special elements used in an SQL command. The vulnerability was assigned with CVE-2023-48788 and the severity was given as 9.8 (Critical). 

However, Fortiguard has acted swiftly upon this vulnerability and has released patches to fix it.

- Advertisement - SIEM as a Service

Moreover, this vulnerability was found to be exploited by threat actors in the wild. In addition, a proof-of-concept for this vulnerability has also been released.

Proof Of Concept Analysis – CVE-2023-48788

According to the reports shared with Cyber Security News, this vulnerability exists due to the multiple components on the FortiClient EMS, such as FmcDaemon.exe. FCTDas.exe and one or more endpoint clients.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

To provide a brief insight, the FmcDaemon.exe is the main service used for communicating with enrolled clients which listens to port 8013 by default for all incoming connections.

The FCTDas.exe is the Data Access Server that is used for translating requests from various other server components into SQL requests which also interacts with Microsoft SQL Server database.  

Furthermore, the endpoint clients can communicate with the FmcDaemon on the server via port 8013 (tcp).

However, the vulnerable component was discovered by scanning the installation folder for common SQL strings which revealed that FCTDas.exe establishes connections to the local database over tcp/1433 and also listens for incoming connections over localhost port tcp/65432.

FTCDas.exe connections (Source: Horizon3)

Finding the Vulnerability Trigger

After enabling debug logging to gather communications information between the FcmDaemon.exe and an endpoint.

It was also discovered that many of the message-handling functions were making use of a functionality from policyhelper.dll. 

However, the SQL injection was discovered by simply updating the FCTUID in the FcmDaemon message which triggered a simple sleep payload that delayed a 10 second response from the server.

SQL Query in DAS logs (Source: Horizon3)

For escalating this into a Remote code execution, the built-in xp_cmdshell functionality of Microsoft SQL Server was utilized which was enabled via few other SQL statements.

Moreover, Horizon3 researchers have published a proof-of-concept that only triggers the SQL injection vulnerability to confirm its existence.

Xp_cmdshell logs (Source: Horizon3)

For FortiClientEMS, there are several log files under the directory C:\Program Files (x86)\Fortinet\FortiClientEMS\logs that can be used for further analysis of malicious activity.

As an alternative, the MS SQL logs can also be examined for additional evidence of exploitation through xp_cmdshell.

Additionally, the NodeZero threat actor was also found to be using different techniques to gain execution over vulnerable FortiClientEMS servers using this vulnerability.

NodeZero Attack technique (Source: Horizon3)

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...