Fortinet warns of critical command injection bug in FortiSIEM

Fortinet is alerting customers of a critical OS command injection vulnerability in FortiSIEM report server that could be exploited by remote, unauthenticated attackers to execute commands through specially crafted API requests.

FortiSIEM (Security Information and Event Management) is a comprehensive cybersecurity solution that provides organizations with enhanced visibility and granular control over their security posture.

It is used in businesses of all sizes in the healthcare, financial, retail, e-commerce, government, and public sectors.

Variant of another OS command injection

Now tracked as CVE-2023-36553, Fortinet's product security team earlier this week discovered the flaw and assigned it a critical severity score of 9.3. However, the U.S. National Institute of Standards and Technology (NIST) calculated a severity score of 9.8.

“An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.” - Fortinet

The researchers say that CVE-2023-36553 is a variant of another critical-severity security issue identified as CVE-2023-34992 that was fixed in early October.

Improper neutralization issues arise when the software fails to sanitize input, such as special characters or control elements, before it is passed through an accepted OS command delivered to an interpreter.

In this case, the program takes API requests and passes them to the OS as a command to be executed, leading to dangerous scenarios like unauthorized data access, modification, or deletion.

Affected versions include FortiSIEM releases from 4.7 through 5.4. Fortinet urges system administrators to upgrade to versions 6.4.3, 6.5.2, 6.6.4, 6.7.6, 7.0.1, or 7.1.0 and later.

Attractive targets

Fortinet products include firewalls, endpoint security, and intrusion detection systems. These are often targeted by sophisticated, state-backed hacking groups, for access to an organization's network.

In 2023, various cybersecurity reports confirmed bugs in Fortinet products being exploited by Iranian hackers to attack U.S. aeronautical firms and Chinese cyber-espionage clusters [1, 2].

Additionally, there have been cases where hackers exploited zero-day vulnerabilities in Fortinet products to breach government networks, discovered after painstakingly reverse-engineering specific FortiGate OS components.