Fortinet Seals the Deal: Critical RCE Flaw in EMS Patched, Admins Urged to Update Now!

Beware, cyber guardians! Fortinet’s EMS had a bug nastier than your in-laws’ opinions—CVE-2023-48788. SQL injection with a side of RCE, now patched, but it’s been a wild digital rodeo. Patch up or face the digital stampede! 🐛💻🤠 #PatchItUp

Hot Take:

Fortinet’s latest patch is like a digital Band-Aid for the gaping wound that was CVE-2023-48788. It’s SQL injection, folks! Didn’t we agree to leave this bug back in the 2000s, along with frosted tips and dial-up internet? But here we are – attackers had a VIP pass to RCE city, and the only price of admission was some craftily worded requests. Let’s hope our cyber bouncers are now better at spotting fake IDs.

Key Points:

  • A critical SQL injection vulnerability was found in FortiClient EMS versions 7.0 and 7.2.
  • Unauthenticated attackers could gain remote code execution with SYSTEM privileges – no user interaction needed!
  • The UK’s NCSC and a Fortinet developer played the role of cyber sleuths and unearthed this digital landmine.
  • Fortinet hasn’t seen any evidence of this flaw being exploited in the wild, but let’s face it – it’s a cyber jungle out there.
  • Additional vulnerabilities were also patched, including another critical RCE bug and some high-severity flaws. It’s like a cybersecurity version of whack-a-mole.
Cve id: CVE-2023-47534
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 03/12/2024
Cve description: A improper neutralization of formula elements in a csv file in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.10, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8 allows attacker to execute unauthorized code or commands via specially crafted packets.

Cve id: CVE-2022-42475
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 01/02/2023
Cve description: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Cve id: CVE-2024-21762
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 02/09/2024
Cve description: A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests

Cve id: CVE-2023-36554
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 03/12/2024
Cve description: A improper access control in Fortinet FortiManager version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.10, version 6.4.0 through 6.4.13, 6.2 all versions allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.

Cve id: CVE-2023-27997
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 06/13/2023
Cve description: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Cve id: CVE-2023-42789
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 03/12/2024
Cve description: A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.

Cve id: CVE-2023-48788
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 03/12/2024
Cve description: A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

Need to know more?

When Admin Tools Go Rogue

FortiClient EMS, a tool designed to keep enterprise endpoints safe, turned out to be the Achilles' heel of the network. Instead of serving up security, it was dishing out SYSTEM-level RCE opportunities on a silver platter. It's like hiring a bodyguard who leaves the back door open while on snack breaks.

Heroes Don't Always Wear Capes

Big shoutout to the NCSC and developer Thiago Santana, who spotted the vulnerability before the digital baddies turned it into their playground. It's always refreshing when the good guys score a point in the endless game of cyber cat and mouse.

More Patches Than a Boy Scout's Sash

Aside from the starring SQL injection vulnerability, Fortinet has been sewing up other security holes faster than a frantic tailor. With out-of-bounds writes and improper access controls on the fix list, it's clear that Fortinet's been busy playing catch-up in the great security patch race.

Deja Vu All Over Again

It seems Fortinet has become a popular hangout spot for cybercrooks. Just last month, they were dealing with another RCE bug that had all the markings of being exploited in the wild. And let's not forget CISA waving red flags and giving federal agencies a week to batten down the hatches. If Fortinet were a nightclub, it would definitely have a one-star safety rating on Cyber Yelp.

The Plot Thickens

As if the cyber soap opera couldn't get any more dramatic, enter the Chinese Volt Typhoon hacking group, with a taste for Fortinet's vulnerabilities and a knack for deploying custom malware. They've been using FortiOS SSL VPN flaws as their secret tunnels into networks, including the Dutch Ministry of Defence. Talk about an A-list guest list for the party of the year – if that party is a black-tie ransomware gala.

Tags: CVE-2023-48788, Exploit Patches, FortiClient EMS, Network Security, Remote Code Execution, SQL Injection, vulnerability management