Déjà Vu Debunked: Fortinet’s FortiSIEM “New” Vulnerabilities Are Old News!

FortiSIEM Fiasco: NVD’s déjà vu as ‘critical vulnerabilities’ turn out to be reruns of last season’s cliffhanger. No need for a security sequel—Fortinet confirms it’s just an API blooper rerolling CVE credits!

Hot Take:

Deja Vu or Glitch in the Matrix? The NVD’s “new” advisories on Fortinet’s FortiSIEM sound like a broken record, but really, they’re just echoes of an old tune. Good job, NVD, you almost had us re-patching last year’s patches. Let’s save the command injections for the movies, shall we?

Key Points:

  • The NVD published advisories for “new” critical command injection vulnerabilities in Fortinet’s FortiSIEM that are actually duplicates.
  • BleepingComputer clarified that the CVEs CVE-2024-23108 and CVE-2024-23109 are errors, not new threats.
  • Fortinet confirmed the issue was due to an API glitch, creating duplicates of an already known vulnerability, CVE-2023-34992.
  • IT teams who addressed last year’s CVE-2023-34992 don’t need to do anything further.
  • Fortinet’s products, including FortiSIEM, are high-value targets for state-backed hackers and have experienced zero-day exploits.
Cve id: CVE-2024-23109
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 02/05/2024
Cve description: An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.

Cve id: CVE-2023-36553
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 11/14/2023
Cve description: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 5.4.0 and 5.3.0 through 5.3.3 and 5.2.5 through 5.2.8 and 5.2.1 through 5.2.2 and 5.1.0 through 5.1.3 and 5.0.0 through 5.0.1 and 4.10.0 and 4.9.0 and 4.7.2 allows attacker to execute unauthorized code or commands via crafted API requests.

Cve id: CVE-2023-34992
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 10/10/2023
Cve description: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.0.0 and 6.7.0 through 6.7.5 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via crafted API requests.

Cve id: CVE-2024-23108
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 02/05/2024
Cve description: An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.

Need to know more?

Copy-Paste Catastrophe:

It appears the National Vulnerability Database (NVD) got a little trigger-happy with their advisories, prompting a collective eye-roll from the cybersecurity community. BleepingComputer put on its detective hat and revealed that the alleged "new" critical vulnerabilities in FortiSIEM are nothing but a technical hiccup, having been reported as severe cases of déjà vu.

CSI: Cyber - The Case of the Erroneous CVEs:

Fortinet played the role of the calm crisis manager, explaining that a pesky API issue caused their vulnerability sequel to be mistakenly premiered. They reassured everyone that the cybersecurity sky isn't falling – it's just raining API errors. So, you can holster your patching tools, cyber sheriffs, and ride off into the sunset.

History Lesson in Hacking:

For those not in the know, FortiSIEM's vulnerabilities have been the cybersecurity equivalent of a Hollywood blockbuster, complete with uninvited actors (hackers) and international intrigue. Last year's vulnerability had the same flavor as this non-existent new one: a command injection that could give hackers the keys to the kingdom via crafty API requests. Fortinet's drama series includes episodes featuring Iranian and Chinese hackers, and a nail-biting season finale where zero-days led to government network infiltrations. Grab your popcorn!

False Alarm, Folks:

In conclusion, the InfoSec community can breathe a sigh of relief knowing that the recent advisories were just a case of mistaken identity in the vulnerability world. While it's a reminder to stay vigilant, it's also a nod to the fact that sometimes the biggest threats are just shadows of the past—or in this case, a technical goof. Keep calm and carry on securing your networks!

Tags: CVE-2023-34992, CVE-2024-23108, CVE-2024-23109, Fortinet Products, FortiSIEM Vulnerability, OS Command Injection, Vulnerability Advisory Errors