The proof-of-concept exploit is easy to execute, and could foretell wider targeting of the Fortinet vulnerability by attackers. Credit: Shutterstock Security researchers have released technical details and a proof-of-concept (PoC) exploit for a critical vulnerability patched last week in Fortinet’s FortiClient Enterprise Management Server (FortiClient EMS), an endpoint security management solution. The vulnerability, tracked as CVE-2023-48788, was reported to Fortinet as a zero-day by the UK National Cyber Security Centre (NCSC) and was actively exploited in the wild at the time of the patch, but likely in very targeted attacks. The availability of the new PoC, even though not weaponized, could enable wider exploitation and easier adoption by more attacker groups.The flaw is the result of improper sanitization of elements in an SQL command, which could be exploited in an SQL injection scenario to execute unauthorized code or commands on the FortiClient EMS. Customers are advised to upgrade to version 7.0.11 or above for the 7.0.x series and to version 7.2.3 or above for the 7.2.x series. Fortinet vulnerability trivial to exploit FortiClient EMS is the central server component that is used to manage endpoints running FortiClient. According to researchers with penetration testing firm Horizon3.ai, who reconstructed the vulnerability, it is in a component called FCTDas.exe, or the Data Access Server, which communicates with Microsoft SQL Server database to store information received from endpoints. Endpoints that have FortiClient installed communicate with a component of the EMS called FmcDaemon.exe over port 8013 using a custom text-based protocol that is then encrypted with TLS for protection. FmcDaemon.exe then passes information to FCTDas.exe in the form of SQL queries that are then executed against the database. The researchers managed to build a Python script to interact with FmcDaemon.exe and send a simple message to update the FCTUID followed by an SQL injection payload to trigger a 10-second sleep. They then observed that the payload was passed to FCTDas.exe, therefore confirming the vulnerability. “To turn this SQL injection vulnerability into remote code execution we used the built-in xp_cmdshell functionality of Microsoft SQL Server,” the researchers said in their technical write-up. “Initially, the database was not configured to run the xp_cmdshell command. However, it was trivially enabled with a few other SQL statements.”The researchers intentionally left the xp_cmdshell code execution part out of the PoC exploit, so it cannot be abused directly without modification. However, the xp_cmdshell technique is well known and has been used to attack Microsoft SQL Server databases before, meaning it’s not hard to implement that part. Fortinet flaws are attractive to attackers In February, Fortinet patched another critical remote code execution vulnerability in the SSL VPN service of the FortiOS operating system used on its appliances. That vulnerability, tracked as CVE-2024-21762, also came with a warning that it was potentially exploited in the wild. The company also warned that Chinese cyberespionage groups exploited N-day FortiOS vulnerabilities in the past to target critical infrastructure organizations. This week, the Shadowserver Foundation, an organization that monitors malicious internet traffic, warned that it was seeing widespread CVE-2024-21762 exploitation attempts after an exploit was publicly published and warned that over 133,000 internet-exposed Fortinet appliances are still vulnerable a month after the patch. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe