Fortinet FortiClient Enterprise Management Server (EMS) < v7.2.3 - SQL Injection Vulnerability (CVE-2023-48788)

Background & Context

Fortinet is a cybersecurity company that develops and sells security solutions like firewalls, endpoint security and intrusion detection systems. The company's first and main product was FortiGate, a physical firewall. The company's Fortinet Security Fabric platform now integrates a product portfolio including the FortiADC application delivery controller, FortiGate network security platform, FortiSIEM event correlation platform, the FortiManager centralised management platform, and FortiClient endpoint security solution. The products run the company's FortiOS Linux-based network operating system.

Vulnerability Summary

The FortiClient solution from Fortinet fails to perform appropriate neutralization of special elements used in an SQL command, leaving it vulnerable to a 'SQL injection' vulnerability.

The FcmDaemon.exe file provides the main service responsible for communicating with enrolled clients. It makes connections to FCTDas.exe and listens externally on tcp/8013, so can be used to interact indirectly with FCTDas and make database queries. The code that handles these requests fails to sanitise the FCTUID parameter that is present in many of the FcmDaemon messages, allowing an attacker to manipulate the variable to include SQL statements, triggering a SQL injection attack.

Impact If Exploited

Exploit allows attacker to execute unauthorized code or commands (RCE) as the privileged SYSTEM user via specially crafted packets.

NOTE: This vulnerability has been reported by the CISA (America's Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2024-03-25. As exploit code has been released (https://github.com/horizon3ai/CVE-2023-48788) and with past abuse of Fortinet flaws by threat actors, including advanced persistent threat (APT) actors and nation-state groups, we highly recommend remediating this vulnerability as soon as possible. Prioritisation should be given to remediation in any impacted environment.

Affected Product Versions

• Fortinet FortiClient EMS version 7.2.0 through 7.2.2,

• Fortinet FortiClient EMS 7.0.1 through 7.0.10

Indicators of Compromise (IoC)

There are various log files in C:\Program Files (x86)\Fortinet\FortiClientEMS\logs that can be examined for connections from unrecognized clients or other malicious activity. The MS SQL logs can also be examined for evidence of xp_cmdshell being utilized to obtain command execution.

Official Fix & Remediation Guidance

Fortinet has released patches to address this SQL injection vulnerability. Customers are advised to upgrade to the latest version of the impacted product. Upgrade to 7.2.3 or above. Virtual Patch named "FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection" is available in FMWP DB update 27.750.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production

Vendor Pages

• https://fortiguard.com/psirt/FG-IR-24-007

Third-Party Writeups

• https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/

• https://thehackernews.com/2024/12/hackers-exploiting-critical-fortinet.html