Fortinet FortiClient EMS SQL injection flaw exploited in the wild SC Media

Fortinet FortiClient EMS SQL injection flaw exploited in the wild
Laura French

SQL injection in Fortinet FortiClient EMS can lead to RCE.
Critical vulnerabilities in Fortinet FortiClient EMS, the Ivanti EPM Cloud Services Appliance, and the Nice Linear eMerge E-Series OS were added to the U.S. Cybersecurity and Infrastructure Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog Monday.

A high-severity vulnerability in Microsoft SharePoint Server was also added to the KEV database Tuesday.

The Fortinet vulnerability, which was first disclosed on March 12, is a SQL injection flaw that could enable remote code execution (RCE) by an unauthenticated attacker. A proof-of-concept (PoC) exploit for the vulnerability, tracked as CVE-2023-48788, was published on March 21 by Horizon3.ai.

Fortinet also updated its advisory on March 21, indicating that the vulnerability was being exploited in the wild.

“Fortinet diligently balances our commitment to the security of our customers and our culture of transparency. We proactively communicated to customers via Fortinet’s PSIRT Advisory process, advising them to follow the guidance provided,” a Fortinet spokesperson told SC Media in an email.

CVE-2023-48788 has a CVSS score of 9.8 and affects FortiClient EMS versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10.

SQL injection bug enables RCE through command shell
Horizon3.ai researchers outlined in a blog post how key components of FortiClient EMS — an enterprise endpoint management solution — communicate with one another and how an attacker can exploit this chain of connections to achieve RCE.

FmcDaemon.exe, the main component that communicates with enrolled client endpoints, listens for requests on port 8013 and forwards requests for database operations to the FCTDas.exe data access server. FCTDas.exe translates these messages into SQL queries and interacts with the Microsoft SQL Server database.

The researchers found that messages passed between FcmDaemon and FCTDas contained an FCTUID as part of the database query. By crafting a request that alters this FCTUID to include their own input, and transmitting this request through port 8013, the researchers were able to achieve SQL injection due to lack of sanitization for this element.

They further demonstrated how RCE could be achieved by crafting the injected input to execute code through the built-in command shell functionality (xp_cmdshell) of the Microsoft SQL Server. Even when the database was not initially configured to run xp_cmdshell commands, additional SQL injections could be used to enable this function.

The PoC exploit published by the researchers does not include the RCE function but allows users to confirm whether their instance is vulnerable to SQL injection.

Horizon3.ai Exploit Developer James Horseman told SC Media the company hasn’t tracked external activity related to CVE-2023-48788 and referred back to recommendations made in his blog post.

The blog noted users can look for connections from unrecognized clients and other potential indicators of compromise in the log files located at C:\Program Files (x86) \Fortinet\FortiClientEMS\logs. Microsoft SQL Server logs can also be examined for evidence of command execution through xp_cmdshell.

Security organization Shadowserver reported 130 FortiClient EMS instances vulnerable to CVE-2023-48788 were detected by its scanners on March 23, with 30 vulnerable instances in the United States.

“Note we only do a version check on the web interface, exploitation requires access to FmcDaemon on tcp/8013,” the organization wrote on X.

GreyNoise is also tracking the vulnerability and has so far detected four malicious IPs attempting to exploit the flaw, all of which are tagged as opportunistic TLS/SSL crawlers.

CISA released a joint Secure by Design alert with the FBI on Monday advising software developers on preventing SQL injection vulnerabilities. The alert specifically references the MOVEit file transfer service attack as an example of SQL injection exploitation.

Fortinet earlier this year patched another critical flaw in FortiOS and FortiProxy, tracked as CVE-2024-21762, which has since been added to the KEV catalog.

Another CISA joint advisory last month warned that China-backed threat group Volt Typhoon has likely utilized Fortinet CVE-2022-42475, along with Ivanti, NETGEAR, Citrix and Cisco vulnerabilities, in campaigns against critical infrastructure.

Ivanti, Microsoft, Nice vulnerabilities added to KEV
Other severe vulnerabilities added to the KEV catalog this week include a code injection vulnerability in the Ivanti Endpoint Manager (EPM) Cloud Services Appliance (CSA) that was patched in 2021, a command injection vulnerability in Nice Linear eMerge E3 Series devices that was discovered in 2019 and patched just this year, and a Microsoft SharePoint Server code RCE vulnerability patched in May 2023.

According to GreyNoise data, 11 IPs have targeted the critical Ivanti EPM CSA bug tracked as CVE-2021-44529 in the last 30 days. GreyNoise researcher Ron Bowes previously wrote that the bug may be a backdoor originating from an open-source component called csrf-magic.

The Nice (formerly Nortek) bug, tracked as CVE-2019-7256, has a maximum CVSS score of 10 and affects the operating system used in Linear eMerge E3 Series building access control devices. The first confirmation of a patch being available came with a CISA advisory published this month despite evidence of the flaw being exploited in denial-of-service (DoS) attacks as early as February 2020, according to SecurityWeek.

The high-severity Microsoft bug tracked as CVE-2023-24955 requires an attacker to be authenticated as a site owner to achieve RCE. Security researcher Valentin Lobstein previously noted that the flaw could be chained with the actively exploited privilege escalation flaw CVE-2023-29357.