CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability

Fortinet warns of a critical SQL Injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code on vulnerable FortiClientEMS software.

Background

On March 12, Fortinet published an advisory (FG-IR-24-007) to address a critical flaw in its FortiClient Enterprise Management Server (FortiClientEMS), a solution which enables centralized management of multiple endpoints.

At the time this blog was published, Fortinet’s advisory assigned a CVSSv3 score of 9.3 to this flaw, while the entry on the National Vulnerability Database (NVD) lists the CVSSv3 score as 9.8 and also links to an advisory that is not currently available. This blog will be updated to reflect the correct CVSSv3 score if the advisory or NVD record are updated.

Analysis

CVE-2023-48788 is a critical SQL injection vulnerability that could allow an unauthenticated, remote attacker to execute commands or arbitrary code through specifically crafted requests. At the time this blog was published, Fortinet’s advisory did not include any messaging about known exploitation of this vulnerability. However, due to prior targeting of Fortinet devices and word of an upcoming proof-of-concept (PoC) exploit for the flaw, in-the-wild exploitation is likely to occur.

Researchers at GreyNoise have published a tag for CVE-2023-48788 on the GreyNoise platform that can be used to monitor for in-the-wild exploitation attempts.

On March 21, Fortinet updated its advisory with a note confirming this vulnerability "is exploited in the wild." However, no further details were shared outside of this update and we are not aware of any other confirmations of in-the-wild exploitation.

Historical exploitation of Fortinet devices

Fortinet devices have been frequently targeted by attackers with several noteworthy flaws observed since 2019.

Fortinet’s FortiOS and FortiProxy have been popular targets for threat actors, including CVE-2023-27997, a critical heap-based buffer overflow and CVE-2022-40684, a critical authentication bypass vulnerability. Other vulnerabilities in Fortinet devices have attracted the attention of multiple nation-state threat actors and ransomware groups like Conti. Fortinet vulnerabilities have been included as part of the top routinely exploited vulnerability lists in recent years.

Last month, Fortinet released an advisory and patch for CVE-2024-21762, an out-of-bound write vulnerability which had been exploited in the wild as a zero-day. Just days prior to that announcement, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a cybersecurity advisory (CSA) warning of state-sponsored threat actors from the People’s Republic of China (PRC) pre-positioning themselves in United States networks across critical infrastructure using vulnerabilities in Fortinet devices as well as other SSL VPN devices from other vendors. In the CSA, CVE-2022-42475, a heap-based buffer overflow in FortiOS, was specifically mentioned based on observed exploitation of the flaw, highlighting the continued use of vulnerabilities affecting Fortinet devices by a variety of threat actors.

Proof of concept

At the time this blog was published, no public proof-of-concept had been identified for this vulnerability, however, the Horizon3 Attack Team has stated a PoC will be published next week along with indicators of compromise (IoCs). On March 21, the Horizon3 Attack Team released their PoC code along with a detailed write-up about how they reproduced the issue and developed a functional exploit that demonstrates the vulnerability without allowing for remote code execution.

As exploit code has been released and with past abuse of Fortinet flaws by threat actors, including advanced persistent threat (APT) actors and nation-state groups, we highly recommend remediating this vulnerability as soon as possible.

The recent #Fortinet #FortiClient Endpoint Management Server (EMS) SQL injection vulnerability, CVE-2023-48788, allows an unauth attacker to obtain RCE as SYSTEM on the server.

IOCs, POC, and deep-dive blog to be released next week. In the meantime, check DAS service logs for… pic.twitter.com/57ps2WiY8R

— Horizon3 Attack Team (@Horizon3Attack) March 13, 2024

Solution

Fortinet has released patches to address this SQL injection vulnerability as outlined in the table below:

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2023-48788 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

• Fortinet PSIRT Advisory for CVE-2023-48788 (FG-IR-24-007)
• Horizon3.ai Blog: CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.