Fortinet snafu: Critical FortiSIEM CVEs are duplicates, issued in error

Trending 3 weeks ago

Fortinet

NVD published two advisories this week for captious bid injection vulnerabilities purportedly impacting Fortinet's FortiSIEM products, but there's much to what meets nan eye.

BleepingComputer has confirmed that these CVEs are not "new," but duplicates of a previously known FortiSIEM vulnerability and were issued successful error.

Fortinet: 'No caller vulnerability' successful FortiSIEM successful 2024

Two captious severity vulnerability advisories person emerged connected NVD, implicating ForiSIEM, Fortinet's SIEM solution.

These OS bid injection vulnerabilities, tracked as CVE-2024-23108 and CVE-2024-23109 were each scored arsenic a 10/10, nan highest connected the CVSS standard that is utilized to specify the severity associated pinch a vulnerability.

Confusingly enough, Fortinet's advisory associated pinch these CVEs bears a publication day of "Oct 10, 2023"—not yesterdaty's, and additionally lists a antecedently known CVE-2023-34992, also a captious FortiSIEM OS bid injection flaw.

Fortinet FortiSIEM advisoryFortinet advisory for captious FortiSIEM vulnerability lists 3 CVEs
(BleepingComputer)

BleepingComputer reached retired to nan vendor for explanation and turns out, there's thing to spot here—the 2 caller CVE IDs, CVE-2024-23108 and CVE-2024-23109 person been generated successful error.

"A modification was made to nan original FG-IR-23-130 - which commonly happens to guarantee ongoing accuracy of accusation and updates are pushed to nan NVD Database successful parallel to support nan 2 systems successful sync," a Fortinet spokesperson told BleepingComputer.

"In this instance, owed to an rumor pinch nan API which we are presently investigating, alternatively than an edit, this resulted successful 2 caller CVEs being created, duplicates of nan original CVE-2023-34992.  There is nary caller vulnerability published for FortiSIEM truthful acold successful 2024, this is simply a strategy level correction and we are moving to rectify and retreat nan erroneous entries."

As such, MITRE, NVD, and different vulnerability intel sources should ideally soon commencement revoking advisories for CVE-2024-23108 and CVE-2024-23109.

Consequently, InfoSec/IT teams that person already addressed past year's CVE-2023-34992 successful their environments should not request to return immoderate further action. We still recommending checking retired Fortinet's latest advisory connected nan CVE to beryllium definite of affected products and versions pinch a fix.

Command injection vulnerability successful review

Disclosed successful October past year, nan now-patched CVE-2023-34992 is an OS Command Injection vulnerability successful FortiSIEM supervisor that could let unauthenticated distant attackers "to execute unauthorized commands via crafted API requests."

In November 2023, a version of CVE-2023-34992 emerged, tracked astatine nan clip arsenic CVE-2023-36553 and akin successful position of its quality and severity.

Fortinet products see firewalls, endpoint security, and intrusion discovery systems commonly utilized by enterprises. These person often been targeted by sophisticated, state-backed hacking groups, for entree to an organization's network.

Last year, various cybersecurity reports confirmed bugs successful Fortinet products being exploited by Iranian hackers to onslaught U.S. aeronautical firms and Chinese cyber-espionage clusters [1, 2].

Additionally, location person been cases wherever hackers exploited zero-day vulnerabilities successful Fortinet products to breach authorities networks, discovered aft painstakingly reverse-engineering circumstantial FortiGate OS components.

Sergiu Gatlan of BleepingComputer contributed to this report.