Double trouble for Fortinet customers as pair of critical vulns found in FortiSIEM

Trending 4 weeks ago

Fortinet's FortiSIEM merchandise is susceptible to 2 caller maximum-severity information vulnerabilities that let for distant codification execution.

Both CVE-2024-23108 and CVE-2024-23109 person been assigned provisional scores of 10 connected nan CVSS scale, suggesting exploits tin beryllium carried retired remotely by unauthenticated attackers, are debased successful complexity, and require nary personification relationship to propulsion off.

In registering nan CVE identities for nan vulnerabilities, Fortinet linked to its ain advisory to supply much information, but nan nexus directs users to an older rumor that was addressed successful early October 2023.

"Multiple improper neutralization of typical elements utilized successful an OS Command vulnerability [CWE-78] successful FortiSIEM supervisor whitethorn let a distant unauthenticated attacker to execute unauthorized commands via crafted API requests," nan advisory's explanation of nan vulnerability reads.

Taking a glimpse astatine older, cached versions of nan aforesaid advisory, we tin spot that nan database of affected products has been precocious updated, adding further FortiSIEM versions. Despite Fortinet's advisory not being officially updated (yet), it suggests nan 2 caller vulnerabilities whitethorn beryllium akin successful quality to nan 1 fixed successful October, affecting newer versions of FortiSIEM.

The Register asked Fortinet for clarity connected nan matter but did not person a response.

We besides said to exertion information master Sean Wright, who said nan astir caller 2 vulnerabilities successful FortiSIEM will apt beryllium classified arsenic nan aforesaid vulnerability from October (CVE-2023-34992), aliases astatine slightest a variety of it that impacts different aliases further versions.

Hopefully Fortinet will supply immoderate clarity connected nan matter successful nan coming days, though discerning nan differences betwixt vulnerabilities, particularly successful nan early days of disclosure, tin often beryllium confusing for information pros sifting done conflicting specifications arsenic we are present pinch nan yet-to-be-updated advisory.

The National Vulnerability Database listings for CVE-2024-23108 and CVE-2024-23109 bespeak some are presently nether review, truthful we'll astir apt study much astir nan issues astatine a later date.

  • Ivanti devices deed by activity of exploits for latest information hole
  • Researchers remotely utilization devices utilized to negociate safe craft landings and takeoffs
  • Critical vulnerability successful Mastodon is pounced upon by fast-acting admins
  • Cloudflare sheds much ray connected Thanksgiving information breach successful which tokens, root codification accessed by suspected spies

Although location is nary known publically disposable utilization codification available, Fortinet customers will want to get these vulnerabilities sorted retired arsenic soon arsenic imaginable fixed their severity.

The pursuing versions are confirmed to beryllium vulnerable:

  • 7.1.0 done 7.1.1

  • 7.0.0 done 7.0.2 

  • 6.7.0 done 6.7.8 

  • 6.6.0 done 6.6.3 

  • 6.5.0 done 6.5.2 

  • 6.4.0 done 6.4.2

Customers tin upgrade to type 7.1.2 coming and person these vulnerabilities plugged, aliases hold for upcoming versions if for immoderate logic upgrading to nan very latest type is unfeasible.

Fortinet said it will beryllium releasing caller versions for 7.0.x, 6.7.x, 6.6.x, 6.5.x, and 6.4.x soon, without specifying an expected date. ®