Fortinet FortiClient EMS Vulnerability A Deep Dive into and Bridging the Gap in Cybersecurity with ASPM and Vulnerability Management

 Attack Surface and Posture Management (ASPM) alongside vulnerability management stand as twin pillars essential for fortifying cybersecurity defences. With the recent discovery of CVE-2023-48788, a critical SQL Injection vulnerability within Fortinet FortiClient EMS, Fortinet has released an official advisory that highlights the importance of updates at scale and vulnerability management practices.

The Case of CVE-2023-48788

CVE-2023-48788 is a stark reminder of the persistent threat posed by SQL Injection vulnerabilities. Identified in the Fortinet FortiClient EMS, a platform designed to manage endpoint security, this vulnerability allowed attackers to execute arbitrary SQL commands, potentially leading to data theft, unauthorized access, and remote code execution.

This vulnerability is particularly concerning because it affects a security tool itself, highlighting that no entity is immune to cybersecurity threats. The issue was rooted in the improper sanitization of user-supplied inputs in database queries, a common cause behind SQL Injection vulnerabilities.

Vulnerability Details for CVE-2023-48788  

Date: 24/MAR/24

Class: Sql injection

CWE: CWE-89 / CWE-74 / CWE-707

ATT&CK: T1505

Local: No

Remote: Yes

Availability: No

Status: Not defined

EPSS Score: 0.00091

EPSS Percentile: 0.37697

CISA KEV: No

Vulncheck Kev: No

Exploitation of CVE-2023-48788 

Credit Shadowserver 

The vulnerability has active exploitation in the wild and POC / exploit publicly available.  

Note the vulnerability leverage an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) type [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests

System Affected by CVE-2023-48788 

An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) threat [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

Virtual Patch named “FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection” is available in FMWP db update 27.750

Exploitation details of CVE-2023-48788 FortiClient EMS 

The Fortinet EMS is installed in the endpoint devices, and a simple SQL command could lead to remote code execution

Note the RCE is one of the major attack methods identified by CISA in the top 12 top exploited vulnerabilities for a full overview: https://phoenix.security/what-is-cisa-kev-main/ 

For the purposes of understanding this vulnerability, FortiClient EMS consists the following components:

• FmcDaemon.exe – The main service responsible for communicating with enrolled clients. By default, this service listens on port 8013 for incoming client connections.
• FCTDas.exe – The Data Access Server responsible for translating requests from various other server components into SQL requests. This service interacts with the Microsoft SQL Server database.
• One or more endpoint clients – These clients communicate with the FmcDaemon on the server (by default tcp/8013)

To convert the SQL injection issue into remote code execution, the researcher team used the built-in xp_cmdshell functionality of Microsoft SQL Server. Initially, the database was not configured to run the xp_cmdshell command, however it was trivially enabled with a few other SQL statements. The POC we are releasing only confirms the threat by using a simple SQL injection without xp_cmdshell. Altering the POC is necessary to enable RCE.

Understanding ASPM and Vulnerability Management

Attack Surface and Posture Management (ASPM) is a holistic approach to cybersecurity, focusing on the continuous discovery, monitoring, and securing of all known and unknown assets across an organization’s digital estate. It’s about having a 360-degree view of your organization’s security posture and identifying weaknesses before attackers do.

Vuln Management, on the other hand, is a critical component of ASPM, involving the identification, prioritization, and remediation of vulnerabilities. It’s a cycle that ensures vulnerabilities are not just discovered but are also analyzed in the context of the organization’s overall security posture and remediated in a timely manner.

Mitigating CVE-2023-48788: A Multifaceted Approach

The mitigation of CVE-2023-48788 required a multifaceted approach, starting from the immediate application of patches provided by Fortinet, to a broader reassessment of security practices surrounding ASPM and vulnerability management.

• Immediate Patching: Fortinet quickly released patches to address the vulnerability, underscoring the importance of timely updates in vulnerability management.
• Enhanced Input Validation: At the development level, enhancing input validation mechanisms to ensure that all user-supplied data is sanitized before processing can prevent similar vulnerabilities.
• Regular Scanning and Assessment: Organizations must adopt regular scanning and assessment routines as part of their ASPM strategy to identify and mitigate vulnerabilities proactively.
• Security Awareness and Training: Educating developers about secure coding practices and the risks associated with SQL Injection can reduce the incidence of such vulnerabilities.
• Continuous Monitoring: Implementing continuous monitoring tools to detect unusual activities indicative of exploitation attempts is crucial for early detection and response.

Looking Forward: Strengthening ASPM and Vulnerability Management

The incident with CVE-2023-48788 brings to light several key lessons for strengthening ASPM and vulnerability management practices:

• Automation in Discovery and Remediation: Leveraging automation tools can enhance the efficiency and comprehensiveness of discovering assets and vulnerabilities.
• Prioritization Based on Context: Vulnerabilities should be prioritized based on their context within the organization’s overall security posture, focusing remediation efforts where they are most needed.
• Collaboration Across Teams: A collaborative approach, involving IT, security, and development teams, is essential for a holistic cybersecurity posture.
• Leveraging Threat Intelligence: Integrating threat intelligence into ASPM practices can provide insights into emerging threats and vulnerabilities, guiding proactive defense strategies.

Conclusion

The revelation of CVE-2023-48788 within Fortinet FortiClient EMS serves as a critical reminder of the ever-evolving cybersecurity landscape. It underscores the importance of robust ASPM and vulnerability management practices in identifying, managing, and mitigating vulnerabilities. As organizations navigate through the complexities of digital security, the integration of comprehensive ASPM strategies with vigilant vulnerability management will be paramount in safeguarding against the multitude of threats that loom in the digital ether.

In closing, while the technical intricacies of managing cybersecurity are vast, it’s sometimes the basics that bolster the defenses — a notion as true in cybersecurity as it is in building a fortress. And remember, in the realm of cybersecurity, complacency is the enemy’s best friend. Let’s stay vigilant, proactive, and always a step ahead of the threats.

How Phoenix Security Can Help

Phoenix Security ASPM helps organizations identify and trace which systems have vulnerabilities, understanding the relation between code and cloud. One of the significant challenges in securing applications is knowing where software like jet brain is installed and how could impact the whole organization. ASPM – Vulnerability management tools can help scale your vulnerability management and identify vulnerable instances of Forticlient ESM, mapping out where it is deployed across the organization. This information is crucial for targeted security measures and efficient patch management. Phoenix Security’s robust Application Security Posture Management (ASPM) system is adept at not just managing, but preempting the exploitation of vulnerabilities through its automated identification system. This system prioritises critical vulnerabilities, ensuring teams can address the most pressing threats first, optimising resource allocation and remediation efforts.

The Role of Application Security Posture Management (ASPM):

ASPM is vital in managing and securing applications like those built with Apache Struts. It involves continuous assessment, monitoring, and improvement of the security posture of applications. ASPM tools can:

1. Identify and Track Struts Components: Locate where FortiClient EMS are located within the application infrastructure.
2. VM Management: Detect known vulnerabilities in FortiClient EMS and prioritize them for remediation.
3. Configuration Monitoring: Ensure FortiClient EMS configurations adhere to best security practices.
4. Compliance: Check if the usage of Fortinet FortiClient EMS aligns with relevant cybersecurity regulations and standards.

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in VM management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Previous Issues of Vulnerability Weekly

• Apache Active MQ
• Atlassian Critical Vulnerability Exploited by nation-state CVE-2023-22515
• Critical vulnerability F5
• How to update curl and libcurl without panic fixing
• Critical Vulnerabilities in Atlassian Confluence: Zero-Day
• Detect & Mitigate HTTP/2: Rapid Reset Vulnerabilities
• Understanding the libcue Vulnerability CVE-2023
• Understanding and fixing Curl and libcurl
• MOVEit Transfer breach, Zellis compromise CVE-2023-34362

Other Useful resources

• Vulnerability maturity model,
• How to start an application security program 

Data Visualization of vulnerabilities in the wild

• CISA KEV: https://phoenix.security/what-is-cisa-kev-main/ 
• Exploit in the wild: https://phoenix.security/what-is-exploitability/ 
• OWASP/Appsec Vulnerability: https://phoenix.security/what-is-owasp-main/
• CWE/Appsec Vulnerabilities: https://phoenix.security/what-is-cwe-main/