FortiSIEM versions 5.2.8 and below are vulnerable to an unauthorized remote command execution vulnerability via Expression Language injection. This advisory notes that the Richsploit exploit can be leveraged to still achieve code execution.
41a7244cc155ca357017d0f400fa1ea31bc629fca173cb7784ea84fc938847b4On June 21st 2020 Fortinet has released a security bulletin for its
FortiSIEM product: https://www.fortiguard.com/psirt/FG-IR-20-041. All
versions of the product equal to/minor than 5.2.8 are vulnerable to an
unauthorized remote command execution via Expression Language injection.
The affected component, found and reported by Code White guys, is an old
acquaintance of ours: the infamous java library Richfaces.
7 months ago we have publicly released a working proof of concept named
Richsploit (https://github.com/redtimmy/Richsploit) aimed to exploit 4
different Richfaces RCE bugs, including the one mentioned in the
Fortinet security bulletin.
However, the tool does not work as-is against FortiSIEM <= 5.2.8 as the
malicious payload requires some modifications in order to produce the
desired effects. We have fixed that and wrote a post about it.
Also we have been able to identify several vulnerable instances of
FortiSIEM exposed over the internet, even owned by Fortinet itself. We
have responsibly reported their presence to the vendor(s).
If you are interest, the most relevant details can be consulted from
https://www.redtimmy.com/fortinet-siem-vulnerability-allows-us-to-get-rce-on-internet-exposed-hosts/
regards
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed