Urgent Security Alert: Critical FortiSIEM Flaw (CVE-2024-23108) Actively Exploited – Patch Now
A critical vulnerability has been identified in Fortinet’s FortiSIEM platform that is currently being actively exploited by attackers in the wild. This flaw allows for unauthenticated, remote command execution, posing a severe risk to organizations that use the affected security information and event management tool.
The vulnerability, tracked as CVE-2024-23108, carries a critical severity rating of 9.8 out of 10. This high score reflects the ease of exploitation and the potential for complete system compromise. Attackers can leverage this flaw to execute arbitrary commands on the underlying system with the highest possible privileges.
Understanding the Threat: CVE-2024-23108 Explained
This vulnerability is a command injection flaw within the FortiSIEM solution’s API. A remote attacker, without needing any credentials, can send a specially crafted request to the server. If the system is unpatched, this malicious request can trick the application into executing commands directly on the operating system.
The consequences of a successful exploit are severe:
- Complete System Takeover: Attackers can achieve unauthorized command execution on the server.
- Root-Level Privileges: The commands are executed with root privileges, giving the attacker full control over the compromised machine.
- Data Breach and Network Pivoting: Since FortiSIEM is a central hub for security logs and data, its compromise can lead to a catastrophic data breach. Attackers can also use the compromised server as a pivot point to launch further attacks across the internal network.
A Dangerous Pattern: This Flaw Bypasses a Previous Patch
Disturbingly, this new vulnerability is not an entirely new discovery. It is a bypass for a previously patched flaw, CVE-2023-34992, which was addressed in late 2023. Attackers have evidently analyzed the initial fix and discovered a new method to achieve the same dangerous outcome.
This development underscores the persistence of threat actors and highlights the critical need for immediate action. Simply having applied the previous patch is not enough; systems remain vulnerable until the latest security update is installed.
Which FortiSIEM Versions Are at Risk?
If your organization uses FortiSIEM, it is imperative to check your version number immediately. The following versions are confirmed to be vulnerable to this active threat:
- FortiSIEM version 7.1.x (before 7.1.2)
- FortiSIEM version 7.0.x (before 7.0.1)
- FortiSIEM version 6.7.x (before 6.7.9)
- FortiSIEM version 6.6.x (before 6.6.4)
- FortiSIEM version 6.5.x (before 6.5.3)
- FortiSIEM version 6.4.x (before 6.4.3)
Immediate Steps to Protect Your Systems
Given that this vulnerability is being actively exploited, time is of the essence. We strongly recommend all system administrators take the following actions without delay.
1. Patch Immediately
Fortinet has released security patches to address this critical flaw. Applying these patches is the most critical step to protect your environment from this threat. Upgrade your FortiSIEM instances to the following versions or later:
- FortiSIEM 7.1.2
- FortiSIEM 7.0.1
- FortiSIEM 6.7.9
- FortiSIEM 6.6.4
- FortiSIEM 6.5.3
- FortiSIEM 6.4.3
2. Review Network Exposure
As a fundamental security best practice, you should never expose the FortiSIEM management interface directly to the public internet. Access should be restricted to trusted internal networks and managed through a secure VPN or other access control measures. If your interface is currently internet-facing, remediate this immediately to reduce your attack surface, even after patching.
3. Hunt for Signs of Compromise
Because this vulnerability is being exploited in the wild, organizations should assume they may have been targeted. It is crucial to actively hunt for any signs of compromise. Review server logs for unusual activity, unexpected processes, or suspicious outbound network connections originating from the FortiSIEM server. If any evidence of an intrusion is found, activate your incident response plan immediately.
The active exploitation of CVE-2024-23108 makes it one of the most serious threats facing security teams today. Procrastination is not an option—patch your systems, verify your network configurations, and investigate for potential breaches now.
Source: https://securityaffairs.com/181104/hacking/critical-fortisiem-flaw-under-active-exploitation-fortinet-warns.html
