Fortinet has recently rolled out security patches to address two critical command injection vulnerabilities in its FortiSIEM and FortiWLM products. The vulnerabilities, CVE-2023-34992 and CVE-2023-34993, could enable a threat actor to execute arbitrary commands on the compromised system.
CVE-2023-34993, with a CVSS score of 9.6, is an unauthenticated command injection vulnerability in FortiWLM, Fortinet's wireless management platform. The flaw allows attackers to exploit 'OS command injection' vulnerabilities remotely by sending maliciously crafted HTTP get requests, resulting in unauthorized command executions. The affected versions include FortiWLM 8.5.0 to 8.5.4 and FortiWLM 8.6.0 to 8.6.5. Versions 8.5.5, 8.6.6, or higher are not affected.
Similarly, CVE-2023-34992, also scoring 9.6 on the CVSS scale, is a remote unauthenticated OS command injection vulnerability in FortiSIEM, Fortinet's solution for security information and event management. This vulnerability allows attackers to craft specific API requests that, when executed, run unauthorized commands on the system. To mitigate this vulnerability, organizations are advised to urgently upgrade to FortiSIEM version 7.0.1, 6.7.6, or the upcoming versions 6.6.4, 6.5.2, and 6.4.3.
Command injection vulnerabilities arise when an attacker is successful in injecting arbitrary commands into a software application. This can be achieved through various means, such as exploiting input validation vulnerabilities or through maliciously crafted HTTP requests. Once a command is successfully injected into an application, it can be executed on the system, potentially granting the attacker full control over the system. This could enable them to steal data, install malware, or initiate further attacks.
These vulnerabilities were discovered and brought to attention by security researcher Zach Hanley (@hacks_zach) from Horizon3.ai. Fortinet urges all users of FortiWLM and FortiSIEM to update to the latest patched version at the earliest.