Exploit available for critical flaw in FortiClient Server

/in


Security researchers have released technical details and a proof-of-concept (PoC) exploit for a critical vulnerability patched last week in Fortinet’s FortiClient Enterprise Management Server (FortiClient EMS), an endpoint security management solution. The vulnerability, tracked as CVE-2023-48788, was reported to Fortinet as a zero-day by the UK National Cyber Security Centre (NCSC) and was actively exploited in the wild at the time of the patch, but likely in very targeted attacks. The availability of the new PoC, even though not weaponized, could enable wider exploitation and easier adoption by more attacker groups.

The flaw is the result of improper sanitization of elements in an SQL command, which could be exploited in an SQL injection scenario to execute unauthorized code or commands on the FortiClient EMS. Customers are advised to upgrade to version 7.0.11 or above for the 7.0.x series and to version 7.2.3 or above for the 7.2.x series.

Fortinet vulnerability trivial to exploit

FortiClient EMS is the central server component that is used to manage endpoints running FortiClient. According to researchers with penetration testing firm Horizon3.ai, who reconstructed the vulnerability, it is in a component called FCTDas.exe, or the Data Access Server, which communicates with Microsoft SQL Server database to store information received from endpoints.

Endpoints that have FortiClient installed communicate with a component of the EMS called FmcDaemon.exe over port 8013 using a custom text-based protocol that is then encrypted with TLS for protection. FmcDaemon.exe then passes information to FCTDas.exe in the form of SQL queries that are then executed against the database.

The researchers managed to build a Python script to interact with FmcDaemon.exe and send a simple message to update the FCTUID followed by an SQL injection payload to trigger a 10-second sleep. They then observed that the payload was passed to FCTDas.exe, therefore confirming the vulnerability.

“To turn this SQL injection vulnerability into remote code execution we used the built-in xp_cmdshell functionality of Microsoft SQL Server,” the researchers said in their technical…

Source…