Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Fortinet Patches Critical Vulnerabilities in FortiSIEM

Two critical OS command injection flaws in FortiSIEM could allow remote attackers to execute arbitrary code.

Cybersecurity solutions provider Fortinet this week warned that two critical-severity vulnerabilities in FortiSIEM could lead to remote code execution.

The issues, tracked as CVE-2024-23108 and CVE-2024-23109, have a provisional CVSS score of 10, as they can be exploited without authentication.

Each of these bugs is described as “improper neutralization of special elements”, and both appear linked to CVE-2023-34992 (CVSS score of 9.8), which was addressed in October 2023.

Fortinet did not issue a separate advisory for the new flaws, instead merging them into the initial advisory on CVE-2023-34992, which suggests that the three issues might be connected or that they are variations of the same vulnerability.

“Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests,” Fortinet’s advisory reads.

According to a NIST analysis of recent Fortinet vulnerabilities, CVE-2023-34992 is easily exploitable without user interaction, with high impact on availability, confidentiality, and integrity. The newly identified security holes are likely no different.

Fortinet’s advisory reveals that the bugs impact FortiSIEM versions 7.1.x, 7.0.x, 6.7.x, 6.6.x, 6.5.x, and 6.4.x. Patches were included in FortiSIEM version 7.1.2, while security updates for the remaining vulnerable iterations are pending.

On Tuesday, CERT-EU issued an alert (PDF) on CVE-2024-23108 and CVE-2024-23109, urging FortiSIEM users to update to a patched version as soon as possible.

Advertisement. Scroll to continue reading.

While Fortinet makes no mention of any of these vulnerabilities being exploited in the wild, security defects in the company’s products are known to have been targeted in malicious attacks.

In November 2023, Fortinet announced patches for another variant of CVE-2023-34992. Discovered internally, the security defect is tracked as CVE-2023-36553 and has a CVSS score of 9.3.

Related: Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products

Related: US Aeronautical Organization Hacked via Zoho, Fortinet Vulnerabilities

Related: Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.