Critical Unauthenticated RCE Vulnerability in Fortinet FortiSIEM: PoC Published
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A proof-of-concept (PoC) exploit has been released for a critical unauthenticated, remote code execution vulnerability in Fortinet FortiSIEM, tracked as CVE-2023-34992.
The vulnerability, which has a CVSS score of 10.0, was discovered by researchers at Horizon3.ai during an audit of Fortinet appliances in early 2023.
Fortinet FortiSIEM is a comprehensive Security Information and Event Management (SIEM) solution that provides log collection, correlation, automated response, and remediation capabilities.
RCE Vulnerability & PoC
A critical vulnerability was found during an audit of Fortinet appliances, revealing several issues that culminated in the discovery of this significant flaw.
FortiSIEM’s backend web service is deployed via Glassfish, a Java framework. The vulnerability resides LicenseUploadServlet.class within the web service.
The doPost method of this servlet was found to be susceptible to command injection, allowing unauthenticated attackers to exploit the system.
The PoC demonstrates how an attacker can leverage this vulnerability to gain unauthenticated remote code execution.
This access can be used to read secrets from integrated systems, enabling further lateral movement within the network. Full PoC can be found on GitHub.
Successful exploitation of CVE-2023-34992 allows attackers to:
Mitigation
Fortinet has fixed this vulnerability in a recent update. Any FortiSIEM version from 6.4.0 to 7.1.1 is at risk. Fortinet has issued patches for versions 7.0.3, 7.1.3, and 6.7.9, and it is recommended to upgrade to these versions or later.
Furthermore, patches for versions 7.2.0, 6.6.5, 6.5.3, and 6.4.4 are anticipated to be released soon.
Users are strongly advised to apply the latest patches to mitigate the risk. Additionally, it is recommended to follow best practices for securing SIEM deployments, such as restricting access to the management interface and regularly auditing system configurations.
Organizations utilizing FortiSIEM should review their logs for any unusual activity, especially in the file /opt/phoenix/logs/phoenix.logs that could potentially hold the contents of messages received for the phMonitor service.
Organizations using Fortinet FortiSIEM should prioritize updating their systems to protect against potential exploitation of this severe vulnerability.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Critical Unauthenticated RCE Vulnerability in Fortinet FortiSIEM: PoC Published
Author: Guru BaranA proof-of-concept (PoC) exploit has been released for a critical unauthenticated, remote code execution vulnerability in Fortinet FortiSIEM, tracked as CVE-2023-34992.
The vulnerability, which has a CVSS score of 10.0, was discovered by researchers at Horizon3.ai during an audit of Fortinet appliances in early 2023.
Fortinet FortiSIEM is a comprehensive Security Information and Event Management (SIEM) solution that provides log collection, correlation, automated response, and remediation capabilities.
RCE Vulnerability & PoC
A critical vulnerability was found during an audit of Fortinet appliances, revealing several issues that culminated in the discovery of this significant flaw.
FortiSIEM’s backend web service is deployed via Glassfish, a Java framework. The vulnerability resides LicenseUploadServlet.class within the web service.
The doPost method of this servlet was found to be susceptible to command injection, allowing unauthenticated attackers to exploit the system.
The PoC demonstrates how an attacker can leverage this vulnerability to gain unauthenticated remote code execution.
This access can be used to read secrets from integrated systems, enabling further lateral movement within the network. Full PoC can be found on GitHub.
Successful exploitation of CVE-2023-34992 allows attackers to:
- Execute arbitrary commands as the root user.
- Read sensitive information and secrets from integrated systems.
- Pivot to other systems within the network, potentially leading to widespread compromise.
Mitigation
Fortinet has fixed this vulnerability in a recent update. Any FortiSIEM version from 6.4.0 to 7.1.1 is at risk. Fortinet has issued patches for versions 7.0.3, 7.1.3, and 6.7.9, and it is recommended to upgrade to these versions or later.
Furthermore, patches for versions 7.2.0, 6.6.5, 6.5.3, and 6.4.4 are anticipated to be released soon.
Users are strongly advised to apply the latest patches to mitigate the risk. Additionally, it is recommended to follow best practices for securing SIEM deployments, such as restricting access to the management interface and regularly auditing system configurations.
Organizations utilizing FortiSIEM should review their logs for any unusual activity, especially in the file /opt/phoenix/logs/phoenix.logs that could potentially hold the contents of messages received for the phMonitor service.
Organizations using Fortinet FortiSIEM should prioritize updating their systems to protect against potential exploitation of this severe vulnerability.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
