Fortinet, a major cybersecurity company, recently published an advisory regarding a critical vulnerability affecting its FortiSIEM Report Server.
Background:
The vulnerability is extremely dangerous since it could allow remote and unauthenticated attackers to execute arbitrary commands on susceptible instances.
The FortiSIEM Report Server, an optional component of Fortinet’s SIEM solution, acts as a centralized repository for storing and managing FortiSIEM reports.
CVE-2023-36553:
The CVE-2023-36553 vulnerability, rated critical (CVSS 9.8), is an OS Command Injection problem caused by inappropriate neutralization of special components. This security issue allows remote attackers to execute commands by sending specially crafted API requests to the FortiSIEM report server.
In Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.5, 6.6.0 through 6.6.3, 6.5.0 through 6.5.1, and 6.4.0 through 6.4.2, improper neutralization of special elements used in an os command (‘os command injection’) allows an attacker to execute unauthorized code or commands via crafted API requests.
This vulnerability is comparable to a previously patched issue, CVE-2023-34992, which Fortinet corrected in October 2023. It is a variation of the previously reported serious OS Command Injection vulnerability in FortiSIEM.
According to Fortinet, the vulnerability concerns an OS Command issue (CWE-78) within the FortiSIEM report server, which might allow remote unauthenticated attackers to execute arbitrary commands via manipulated API calls.
Improper neutralization issues emerge when the software fails to properly sanitize input – such as special characters or control elements – before giving it to an interpreter as an OS command. In this case, the software receives API requests and sends them to the operating system as executable commands, allowing illegal data access, modification, or deletion.
Affected Versions:
Versions impacted by this vulnerability span from FortiSIEM releases 4.7 through 5.4:
- FortiSIEM 5.4 all versions
- FortiSIEM 5.3 all versions
- FortiSIEM 5.2 all versions
- FortiSIEM 5.1 all versions
- FortiSIEM 5.0 all versions
- FortiSIEM 4.10 all versions
There have been no known instances of exploitation connected with the CVE-2023-36553 issue affecting FortiSIEM Report Server as of the most recent information.
Recommendations:
To prevent security risks, Fortinet has quickly patched this significant vulnerability and recommends customers to update their FortiSIEM versions to the following or later versions:
- 7.1.0
- 7.0.1
- 6.7.6
- 6.6.4
- 6.5.2
- 6.4.3