Source: Postmodern Studio via Shutterstock
As expected, cyberattackers have pounced on a critical remote code execution (RCE) vulnerability in the Fortinet Enterprise Management Server (EMS) that was patched last week, allowing them to execute arbitrary code and commands with system admin privileges on affected systems.
The flaw, tracked as CVE-2024-48788 with a 9.3 out of 10 CVSS vulnerability-severity score, was one of three that the Cybersecurity and Infrastructure Security Agency (CISA) on March 25 added to its Known Exploited Vulnerabilities Catalog, which keeps track of security vulnerabilities under active exploit. Fortinet, which warned users of the flaw as well as patched it earlier this month, also quietly updated its security advisory to note its exploitation.
Specifically, the flaw is found in FortiClient EMS, the VM version of FortiClient's central management console. It stems from an SQL injection error in a direct-attached storage component of the server and is spurred by communications between the server and endpoints attached to it.
"An improper neutralization of special elements used in an SQL Command ... vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests," according to Fortinet's advisory.
Proof-of-Concept Exploit for CVE-2024-48788
The current exploitation of the flaw follows the release last week of a proof-of-concept (PoC) exploit code as well as an analysis by researchers at Horizon.ai detailing how the flaw can be exploited.
Horizon.ai researchers discovered that the flaw lies in how the server's main service responsible for communicating with enrolled endpoint clients — FcmDaemon.exe — interacts with those clients. By default, the service listens on port 8013 for incoming client connections, which the researchers used to develop the PoC.
Other components of the server that interact with this service are a data access server, FCTDas.exe, which is responsible for translating requests from various other server components into SQL requests to then interact with the Microsoft SQL Server database.
Exploiting the Fortinet Flaw
To go about exploiting the flaw, Horizon.ai researchers first established what typical communications between a client and the FcmDaemon service should look like by configuring an installer and deploying a basic endpoint client.
"We found that normal communications between an endpoint client and FcmDaemon.exe are encrypted with TLS, and there didn't seem to be an easy way to dump TLS session keys to decrypt the legitimate traffic," Horizon.ai exploit developer James Horseman explained in the post.
The team then gleaned details from the service's log about the communications, which provided the researchers enough information to write a Python script to communicate with the FcmDaemon. After some trial and error, the team was able to examine the message format and enable "meaningful communication" with the FcmDaemon service to trigger an SQL injection, Horseman wrote.
"We constructed a simple sleep payload of the form <fctid>' AND 1=0; WAITFOR DELAY '00:00:10' -- '," he explained in the post. "We noticed the 10-second delay in response and knew that we had triggered the exploit."
To turn this SQL injection vulnerability into an RCE attack, the researchers used the built-in xp_cmdshell functionality of Microsoft SQL Server to create the PoC, according to Horseman. "Initially, the database was not configured to run the xp_cmdshell command; however, it was trivially enabled with a few other SQL statements," he wrote.
It's important to note that the PoC only confirms the vulnerability by using a simple SQL injection without xp_cmdshell; for an attacker to enable RCE, the PoC must be altered, Horseman added.
Cyberattacks Ramp Up on Fortinet; Patch Now
Fortinet bugs are popular targets for attackers, as Chris Boyd, staff research engineer at security firm Tenable warned in his advisory about the flaw originally published on March 14. He cited as examples several other Fortinet flaws — such as CVE-2023-27997, a critical heap-based buffer overflow vulnerability in multiple Fortinet products, and CVE-2022-40684, an authentication bypass flaw in FortiOS, FortiProxy, and FortiSwitch Manager technologies — that were exploited by threat actors. In fact, the latter bug was even sold for the purpose of giving attackers initial access to systems.
"As exploit code has been released and with past abuse of Fortinet flaws by threat actors, including advanced persistent threat (APT) actors and nation-state groups, we highly recommend remediating this vulnerability as soon as possible," Boyd wrote in an update to his advisory after the Horizon.ai release.
Fortinet and the CISA also are urging clients who didn't use the window of opportunity between the initial advisory and the release of the PoC exploit to patch servers vulnerable to this latest flaw immediately.
To help organizations identify if the flaw is under exploitation, Horizon.ai's Horseman explained how to identify indicators of compromise (IoCs) in an environment. "There are various log files in C:\Program Files (x86)\Fortinet\FortiClientEMS\logs that can be examined for connections from unrecognized clients or other malicious activity," he wrote. "The MS SQL logs can also be examined for evidence of xp_cmdshell being utilized to obtain command execution."