Fortinet has issued a warning about two new unpatched patch bypasses for a severe remote code execution vulnerability in its Security Information and Event Management (SIEM) solution, FortiSIEM. Originally, these vulnerabilities, tracked as CVE-2024-23108 and CVE-2024-23109, were added to the advisory for the pre-existing flaw, CVE-2023-34992, in a somewhat perplexing update. Initially, it was reported that the new CVEs were mistakenly released, with Fortinet stating they were duplicates of the original CVE-2023-34992.
Fortinet explained, 'In this instance, due to an issue with the API which we are currently investigating, rather than an edit, this resulted in two new CVEs being created, duplicates of the original CVE-2023-34992.' They further clarified that there was no new vulnerability published for FortiSIEM in 2024 and that the creation of the duplicate CVEs was a system level error. They are currently working to correct this and withdraw the incorrect entries.
However, it was later revealed that CVE-2024-23108 and CVE-2024-23109 are in fact patch bypasses for the original flaw, CVE-2023-34992, as discovered by Horizon3 vulnerability expert Zach Hanley. Hanley confirmed that the new CVEs were patch bypasses for the original flaw, and the new IDs were assigned to him by Fortinet.
Upon further contact with Fortinet, it was revealed that their previous statement was incorrect, and the two new CVEs are indeed variants of the original flaw. Fortinet's PSIRT team followed their process to add the two similar variants, tracked as CVE-2024-23108 and CVE-2024-23109, to their public advisory FG-IR-23-130, which was published in October 2023. The two new CVEs share the exact same description and score as the initial one.
The new variants, like the original flaw, allow unauthenticated attackers to execute commands via specially crafted API requests. The advisory reads, 'Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.'
While the original flaw, CVE-2023-34992, was addressed in a previous FortiSIEM release, the new variants will be fixed or have already been fixed in upcoming versions. Given the critical nature of this flaw, it is highly recommended to upgrade to one of the forthcoming FortiSIEM versions as soon as they are available. Fortinet vulnerabilities are frequently exploited by threat actors, including ransomware gangs, to gain initial access to corporate networks, thus prompt patching is of utmost importance.