Fortinet has released security updates for an unauthorized code execution vulnerability impacting their FortiClientEMS (Endpoint Management Server) product. The vulnerability, CVE-2023-48788, is related to a flaw that allows unauthenticated malicious actors to execute code or commands onto the server via purposely crafted requests. This Cybersecurity Threat Advisory highlights various recommendations to mitigate the potential impact on your devices.
What is the threat?
CVE-2023-48788 resides in the Fortinet FortiClientEMS software. This provides visibility for devices across the network to securely assign security profiles to endpoints, along with automation capabilities. The vulnerability is an SQL injection in the DB2 Administration Server (DAS), which allows unauthenticated attackers to perform remote code execution with SYSTEM privileges that don’t require user interaction. The following versions are affected by this vulnerability:
- FortiClientEMS 7.2.0 through 7.2.2
- FortiClientEMS 7.0.1 through 7.0.10
Why is it noteworthy?
FortiCilentEMS is an endpoint security software used in enterprise networks. The vulnerability has been observed to be exploited without the need for authentication and used at the SYSTEM level without the need for user interaction. These behaviors combined earned CVE-2023-48788 a CVSS rating of 9.3 out of a maximum of 10, a considerably critical rating.
What is the exposure or risk?
This FortiClientEMS vulnerability can lead to significant exposure and risk for its consumers. If exploited successfully, it could allow the attacker to gain access without the need for authentication or user interaction. As seen recently, this potentially opens a gateway for attackers to perform malicious code execution onto endpoints.
What are the recommendations?
Barracuda MSP recommends the following actions to keep your environment secure:
- Upgrade affected FortiClientEMS instances to the latest versions:
- FortiClientEMS 7.2.0 through 7.2.2, upgrade to 7.2.3 or above
- FortiClientEMS 7.0.1 through 7.0.10, upgrade to 7.0.11 or above
- Utilize network segmentation to mitigate the impact of potential compromises and prevent lateral movement by malicious actors.
- Enforce strong access controls as a layered security approach, such as robust passwords and multi-factor authentication.
- Utilize Barracuda XDR for comprehensive security monitoring and for detecting unusual activity across endpoint devices.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2024/03/fortinet-warns-of-severe-sqli.html
- https://www.helpnetsecurity.com/2024/03/14/cve-2023-48788-poc/
- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-bug-in-endpoint-management-software/#google_vignette
If you have any questions regarding this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
