Zero-Day Siege: The Fortinet Flaw Exposing the Underbelly of Corporate Defenses
Following the original discussion, user hal8999 from infosec.exchange contributed two notable insights. Edits have been made to this to clarify the authors initial misinterpretation of his posts content. Hal8999 highlighted that The cloud-based EMS is always published to the public internet. As such, customer cannot block access or un-publish it because they don’t have control. He clarifies further adding an analogy “If you had on-prem Exchange, you could block internet access by a firewall rule until you patched. Or, filter inbound traffic through IDP and application filters.” and further states that with ‘cloud’, the customer no longer controls the firewall or the server on the back-end. So, their environment is always left exposed to the internet unless/until the provider patches the environment or performs some other sort of action to block access. This means fixing this issue that now has publicly available proof-of-concept code is up to FortiGate for the parts of the product the customer cannot manage themselves in the cloud, and patching local machines or applying mitigations as per their guidance for on-premises systems by the customer.
Fortinet has provided specific instructions in response to these and similar concerns. That guidance is below:
- Review your systems for evidence of exploit of previous vulnerabilities e.g. FG-IR-22–377 / CVE-2022–40684
- Maintain good cyber hygiene and follow vendor patching recommendations
- Follow hardening recommendations, e.g., FortiOS 7.2.0 Hardening Guide (which if followed by the 740 instances shown on Shodan and Shadow Server, would not be exposed right now).
- Minimize the attack surface by disabling unused features and managing devices via an out-of-band method wherever possible.
Mitigations detailed in FG-IR-22–377:
The mitigations for the vulnerability identified in FortiOS, FortiProxy, and FortiSwitchManager include disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can access it. Detailed configurations involve creating firewall address groups, local in policies, and service objects for administrative access, with adjustments for HA reserved management interfaces. Upgrading to specific versions of the affected products is recommended as a solution. For assistance, contacting customer support is advised.
Original Article with minor modifications follows:
In a rather dramatic turn that might stir the pot more than a tempest in a teapot, the cyber sleuths have once again unearthed a vulnerability so potent that it threatens the sanctity of Fortinet’s digital fortress. The flaw in question, CVE-2023–48788, is not your garden-variety bug; it’s a gaping chasm through which the uninvited can parade, courtesy of an SQL injection in the DB2 Administration Server (DAS) component — a flaw so egregious one would think it could only have been uncovered by the vigilant eyes at the UK’s National Cyber Security Centre (NCSC), but was instead detailed in a Horizon3 Attack Team report.
The vulnerable software, FortiClient Enterprise Management Server (EMS), finds itself in the crosshairs, particularly versions 7.0 and 7.2, which are now akin to open books for those with nefarious intent. These unauthenticated marauders, it appears, can waltz in with SYSTEM privileges, no secret handshake required, in an attack that’s embarrassingly straightforward, needing not a whit of user participation.
Fortinet, in what might be seen as a moment of understatement, describes the vulnerability as an “improper neutralization of special elements used in an SQL Command (‘SQL Injection’)”. This breach in decorum allows those with less than honorable intentions to execute unauthorized code with the nonchalance of a fox in a henhouse, through artfully crafted requests.
And while Fortinet initially played the card of reticence regarding the in-the-wild exploitation of this flaw, they have since updated their advisory in a more hushed tone, conceding to the reality of its active exploitation. Based on this authors interpretation, it appears the likelihood of exploitation of this vulnerability is mostly limited to those on the same LAN as the the vulnerable system as detailed by Horizon3’s diagram below
Not detailed in their report is an attack scenario that could involve a sophisticated multi-stage process where an attacker may be able to combine a CSRF or similar attack with the aforementioned vulnerability for remote exploitation. By tricking a user into executing unintended actions, such as clicking a link sent by an attacker to a victim on the network containing the device vulnerable to CVE-2023–48788, an attacker may be able to bridge the gap from the internet to the LAN. However, this complex chaining of exploits significantly diminishes the likelihood of successful exploitation, as it requires precise conditions and user interaction to be met.
Merely a week post Fortinet’s patchwork attempt to mend this digital rend, Horizon3’s Attack Team took to the stage, not with a how-to on wreaking havoc, but a proof-of-concept (PoC) exploit. A demonstration, if you will, of the system’s vulnerability, stopping short of handing the keys to the kingdom by enabling remote code execution.
Yet, for those with a penchant for turning SQL injections into remote theatrical performances, the Horizon3 PoC can be tweaked. The magic wand here is the Microsoft SQL Server’s xp_cmdshell procedure, a spell that conjures a Windows command shell out of thin air, as recounted by Horizon3’s own conjurer, James Horseman.
As the digital world turns its gaze towards the exposed online FortiClient EMS servers, with Shodan counting over 440 and Shadowserver spotting more than 300, mainly in the United States, the narrative thickens. This isn’t Fortinet’s maiden voyage into the stormy seas of critical vulnerabilities. Just a February past, another critical bug was patched, only to be confirmed as actively exploited the very next day.
This tale, ripe with espionage and digital skullduggery, serves as a stark reminder of the perpetual arms race in the cyber realm. As vulnerabilities are patched, new ones emerge, in a never-ending ballet of digital one-upmanship. Fortinet’s woes are but a chapter in the annals of cybersecurity, a reminder that in this game, no fortress is impregnable, and the watchers on the wall must never sleep.
Additional Resources and Links:
