PSIRTMultiple remote unauthenticated os command injection
Summary
Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.
Affected Products
FortiSIEM version 7.1.0 through 7.1.1FortiSIEM version 7.0.0 through 7.0.2
FortiSIEM version 6.7.0 through 6.7.8
FortiSIEM version 6.6.0 through 6.6.3
FortiSIEM version 6.5.0 through 6.5.2
FortiSIEM version 6.4.0 through 6.4.3
FortiSIEM 6.3 all versions are not affected
FortiSIEM 6.2 all versions are not affected
FortiSIEM 6.1 all versions are not affected
FortiSIEM 5.4 all versions are not affected
FortiSIEM 5.3 all versions are not affected
Solutions
Please upgrade to FortiSIEM version 7.1.2 or above
Please upgrade to FortiSIEM version 7.0.3 or above
Please upgrade to FortiSIEM version 6.7.9 or above
Please upgrade to FortiSIEM version 6.6.4 or above
Please upgrade to FortiSIEM version 6.5.3 or above
Please upgrade to FortiSIEM version 6.4.4 or above
Please upgrade to upcoming FortiSIEM version 7.2.0 or above
Acknowledgement
Fortinet is pleased to thank security researchers Zach Hanley (@hacks_zach) of Horizon3.ai for discovering and reporting this vulnerability under responsible disclosure.Timeline
2023-10-10: Initial publication2024-01-31: Updated with two variants (CVE-2024-23108, CVE-2024-23109), updated versions in Solution accordingly