Double trouble for Fortinet as it issues critical FortiSIEM vulns

Updated Fortinet's FortiSIEM product is vulnerable to two maximum-severity security vulnerabilities that allow for remote code execution, or at least according to two freshly published CVEs.*

Both CVE-2024-23108 and CVE-2024-23109 have been assigned scores of 10 on the CVSS scale, suggesting exploits can be carried out remotely by unauthenticated attackers, are low in complexity, and require no user interaction to pull off.

In registering the CVE identities for the vulnerabilities, Fortinet linked to its own advisory to provide more information, but the link directs users to an older issue that was addressed in early October 2023.

"Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests," the advisory's description of the vulnerability reads.

Taking a glance at older, cached versions of the same advisory, we can see that the list of affected products has been recently updated, adding additional FortiSIEM versions. Despite Fortinet's advisory not being officially updated (yet), it suggests the two new vulnerabilities may be similar in nature to the one fixed in October, affecting newer versions of FortiSIEM.

The Register asked Fortinet for clarity on the matter but did not receive a response.

We also spoke to application security expert Sean Wright, who said the most recent two vulnerabilities in FortiSIEM will likely be classified as the same vulnerability from October (CVE-2023-34992), or at least a variation of it that impacts different or additional versions.

Hopefully Fortinet will provide some clarity on the matter in the coming days, although discerning the differences between vulnerabilities, especially in the early days of disclosure, can often be confusing for security pros sifting through conflicting details as we are here with the yet-to-be-updated advisory.

The National Vulnerability Database listings for CVE-2024-23108 and CVE-2024-23109 indicate both are currently under review, so we'll probably learn more about the issues at a later date.

• Ivanti devices hit by wave of exploits for latest security hole
• Researchers remotely exploit devices used to manage safe aircraft landings and takeoffs
• Critical vulnerability in Mastodon is pounced upon by fast-acting admins
• Cloudflare sheds more light on Thanksgiving security breach in which tokens, source code accessed by suspected spies

Although there is no known publicly available exploit code available, Fortinet customers will want to get these vulnerabilities sorted out as soon as possible given their severity.

The following versions are confirmed to be vulnerable:

• 7.1.0 through 7.1.1

• 7.0.0 through 7.0.2 

• 6.7.0 through 6.7.8 

• 6.6.0 through 6.6.3 

• 6.5.0 through 6.5.2 

• 6.4.0 through 6.4.2

Customers can upgrade to version 7.1.2 today and have these vulnerabilities plugged, or wait for upcoming versions if for whatever reason upgrading to the very latest version is unfeasible.

Fortinet said it will be releasing new versions for 7.0.x, 6.7.x, 6.6.x, 6.5.x, and 6.4.x soon, without specifying an expected date. ®

Updated to add on February 7 2023

* The vendor has since claimed in a quote to another tech outlet that the CVEs were indeed duplicated from last October, and claimed it "issued duplicate CVEs in error."

Updated to add on February 9 2023

* The company later backtracked saying that yes, actually, these are two new vulnerabilities – two bypasses for October's CVE-2023-34992. For more on this tale of absolute vendor bunglement, please read our February 9 piece, "Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim"....