Fortinet recently issued a confusing update regarding two new vulnerabilities in FortiSIEM, initially reported as duplicates but later confirmed as patch bypasses for a critical remote code execution (RCE) flaw. The vulnerabilities, identified as CVE-2024-23108 and CVE-2024-23109, are direct bypasses of the previously addressed CVE-2023-34992. This report aims to clarify the confusion and stress the importance of applying forthcoming patches to mitigate these vulnerabilities.
Vulnerability Details
- CVE IDs: CVE-2024-23108, CVE-2024-23109
- Original CVE ID: CVE-2023-34992
- Impact: Allows unauthenticated attackers to execute unauthorized commands via specially crafted API requests.
- Affected Product: FortiSIEM
Incident Overview
The disclosure of CVE-2024-23108 and CVE-2024-23109 was initially marred by confusion, with Fortinet mistakenly reporting them as duplicates of CVE-2023-34992 due to an API issue. However, it was later clarified that these CVEs represent specific patch bypasses, identified through the research efforts of Zach Hanley. These vulnerabilities share the same risk profile and impact as the original flaw, making immediate action imperative.
Attack Scenario and Exploitation
The vulnerabilities enable remote, unauthenticated attackers to exploit FortiSIEM systems by sending specially crafted API requests. This capability can lead to a full system compromise, providing attackers with the ability to execute arbitrary commands on the affected systems.
Response and Mitigation
Fortinet has acknowledged the oversight and confirmed that the new CVEs are variants of the original flaw. The company has announced that fixes for these vulnerabilities will be included in upcoming FortiSIEM versions:
- Version 7.1.2 or above
- Version 7.2.0 or above
- Version 7.0.3 or above
- Version 6.7.9 or above
- Version 6.6.5 or above
- Version 6.5.3 or above
- Version 6.4.4 or above
Organizations utilizing FortiSIEM are urged to upgrade to the patched versions as soon as they are available to protect against potential exploitation.
Threat Landscape and Impact
Given Fortinet’s prominence in network security, vulnerabilities within its products are highly attractive to threat actors, including ransomware groups seeking initial access to corporate networks. The critical nature of these flaws necessitates swift patching to prevent exploitation.
Conclusion
The revelation of CVE-2024-23108 and CVE-2024-23109 underscores the complexity of vulnerability management and the continuous efforts required to secure systems against evolving threats. Organizations must stay vigilant, monitor advisories from vendors like Fortinet closely, and apply security updates promptly to maintain the integrity of their networks against such critical vulnerabilities.
Stay informed and secure,
OP Innovate.
