As expected, cyber attackers pounced on a critical remote code execution (RCE) vulnerabilities in the Fortinet Enterprise Management Server (EMS) which were patched last week, allowing them to execute arbitrary code and commands with system administrator privileges on affected systems.
The defect, traced as CVE-2024-48788 with a CVSS vulnerability severity score of 9.3 out of 10, it was one of three that the Cybersecurity and Infrastructure Security Agency (CISA) added on March 25 to its Catalog of known exploited vulnerabilities, which tracks security vulnerabilities when there are active exploits. Fortinet, which notified users of the flaw in addition to patching it earlier this month, it also quietly updated its security consultancy notice its exploitation.
Specifically, the flaw is found in FortiClient EMS, the VM version of FortiClient’s central management console. It comes from a SQL injection error in a storage component connected directly to the server and is stimulated by communications between the server and the endpoints connected to it.
“An improper neutralization of special elements used in an SQL command… vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specially crafted requests,” according to the Fortinet advisory.
Proof-of-Concept exploit for CVE-2024-48788
The current exploitation of the flaw follows last week’s release of a proof of concept (PoC) exploit code and an analysis of Horizon.ai researchers detailing how the flaw can be exploited.
Horizon.ai researchers found that the flaw lies in how the core server service responsible for communicating with registered endpoint clients, FcmDaemon.exe, interacts with those clients. By default, the service listens on port 8013 for incoming client connections, which the researchers used to develop the PoC.
Other server components that interact with this service are a data access server, FCTDas.exe, which is responsible for translating requests from various other server components into SQL requests and then interacting with the Microsoft SQL Server database.
Exploit the Fortinet flaw
To exploit the flaw, Horizon.ai researchers first established what typical communications between a client and the FcmDaemon service should look like by configuring an installer and deploying a basic endpoint client.
“We discovered that normal communications between an endpoint client and FcmDaemon.exe are encrypted with TLS, and there appeared to be no easy way to download TLS session keys to decrypt legitimate traffic,” explained Horizon.ai exploit developer James Horseman in the post.
The team then collected details from the service’s log about communications, which gave the researchers enough information to write a Python script to communicate with FcmDaemon. After some trial and error, the team was able to examine the message format and enable “meaningful communication” with the FcmDaemon service to trigger an SQL injection, Horseman wrote.
“We built a simple sleep payload into the format
To turn this SQL injection vulnerability into an RCE attack, researchers used Microsoft SQL Server’s built-in xp_cmdshell functionality to create the PoC, according to Horseman. “Initially, the database was not configured to run the xp_cmdshell command; however, it was trivially enabled with some other SQL statements,” he wrote.
It is important to note that the PoC only confirms the vulnerability using a simple SQL injection without xp_cmdshell; for an attacker to enable RCE, the PoC must be modified, Horseman added.
Cyber attacks increase on Fortinet; Patch now
Fortinet bugs are popular targets for attackers, like Chris Boyd, a research engineer at a security company Tenable warned in its consultation about the flaw originally published on March 14. He cited several other Fortinet flaws as examples, such as CVE-2023-27997, a critical heap-based buffer overflow vulnerability in multiple Fortinet products and CVE-2022-40684, an authentication bypass flaw in FortiOS, FortiProxy, and FortiSwitch Manager technologies – that was it exploited by threat actors. In fact, this latest bug was even sold for the purpose of giving attackers initial access to systems.
“With the release of the exploit code and past abuse of Fortinet flaws by threat actors, including APT (Advanced Persistent Threat) actors. and groups of nation-states, we strongly recommend remediating this vulnerability as soon as possible,” Boyd wrote in an update to his advisory following the release of Horizon.ai.
Fortinet and CISA are also urging customers who did not utilize the window of opportunity between the initial advisory and the release of the PoC exploit to patch server immediately vulnerable to this last flaw.
To help organizations identify whether the flaw is under exploitation, Horizon.ai’s Horseman explained how to identify indicators of compromise (IoC) in an environment. “There are various log files in C:\Program Files (x86)\Fortinet\FortiClientEMS\logs that can be examined to detect connections from unrecognized clients or other malicious activity,” he wrote. “You can also examine the MS SQL logs to verify the use of xp_cmdshell to achieve command execution.”