Security researchers have released technical details and a proof-of-concept (PoC) exploit for a critical vulnerability patched last week in Fortinet’s FortiClient Enterprise Management Server (FortiClient EMS), an endpoint security management solution. The vulnerability, tracked as CVE-2023-48788, was reported to Fortinet as a zero-day by the UK National Cyber Security Centre (NCSC) and was actively exploited in the wild at the time of the patch, but likely in very targeted attacks. The availability of the new PoC, even though not weaponized, could enable wider exploitation and easier adoption by more attacker groups.
The flaw is the result of improper sanitization of elements in an SQL command, which could be exploited in an SQL injection scenario to execute unauthorized code or commands on the FortiClient EMS. Customers are advised to upgrade to version 7.0.11 or above for the 7.0.x series and to version 7.2.3 or above for the 7.2.x series.
Fortinet vulnerability trivial to exploit
FortiClient EMS is the central server component that is used to manage endpoints running FortiClient. According to researchers with penetration testing firm Horizon3.ai, who reconstructed the vulnerability, it is in a component called FCTDas.exe, or the Data Access Server, which communicates with Microsoft SQL Server database to store information received from endpoints.
Endpoints that have FortiClient installed communicate with a component of the EMS called FmcDaemon.exe over port 8013 using a custom text-based protocol that is then encrypted with TLS for protection. FmcDaemon.exe then passes information to FCTDas.exe in the form of SQL queries that are then executed against the database.
The researchers managed to build a Python script to interact with FmcDaemon.exe and send a simple message to update the FCTUID followed by an SQL injection payload to trigger a 10-second sleep. They then observed that the payload was passed to FCTDas.exe, therefore confirming the vulnerability.
“To turn this SQL injection vulnerability into remote code execution we used the built-in xp_cmdshell functionality of Microsoft SQL Server,” the researchers said in their technical write-up. “Initially, the database was not configured to run the xp_cmdshell command. However, it was trivially enabled with a few other SQL statements.”
The researchers intentionally left the xp_cmdshell code execution part out of the PoC exploit, so it cannot be abused directly without modification. However, the xp_cmdshell technique is well known and has been used to attack Microsoft SQL Server databases before, meaning it’s not hard to implement that part.
Fortinet flaws are attractive to attackers
In February, Fortinet patched another critical remote code execution vulnerability in the SSL VPN service of the FortiOS operating system used on its appliances. That vulnerability, tracked as CVE-2024-21762, also came with a warning that it was potentially exploited in the wild. The company also warned that Chinese cyberespionage groups exploited N-day FortiOS vulnerabilities in the past to target critical infrastructure organizations.