Critical Vulnerability Identified in Fortinet SIEM Tool

Summary

A vulnerability has been discovered internally by Adham El Karn of the Fortinet Product Security team. Identified as CVE-2023-36553 (CVSS 9.8), this Critical vulnerability affects all versions of FortiSIEM 4.7, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, and 5.4. According to Fortiguard, it has to do with an improper neutralization of special elements used in an OS Command vulnerability in FortiSIEM report server. This can allow a remote, unauthenticated attacker to execute unauthorized commands via specifically crafted API requests.

Impact Assessment

This vulnerability allows a remote, unauthenticated attacker to execute OS commands, potentially opening the door for future attacks by allowing the attacker to modify existing configurations as well as deleting and viewing data. This vulnerability also affects a key security tool, the Security Information and Event Management System. Having this software be compromised will absolutely cripple an organization’s security infrastructure.

Affected Products

1. FortiSIEM 5.4 all versions
2. FortiSIEM 5.3 all versions
3. FortiSIEM 5.2 all versions
4. FortiSIEM 5.1 all versions
5. FortiSIEM 5.0 all versions
6. FortiSIEM 4.10 all versions
7. FortiSIEM 4.9 all versions
8. FortiSIEM 4.7 all versions

What it means for you

Check your organization’s software inventory to ensure that you either are or are not using FortiSIEM in your network configuration. If you are using it read up on the security bulletin and apply updates to FortiSIEM as soon as possible.

Remediation

Fortinet has provided updates to their FortiSIEM software to remediate this vulnerability.

Please upgrade to FortiSIEM version 7.1.0 or above

Please upgrade to FortiSIEM version 7.0.1 or above

Please upgrade to FortiSIEM version 6.7.6 or above

Please upgrade to FortiSIEM version 6.6.4 or above

Please upgrade to FortiSIEM version 6.5.2 or above

Please upgrade to FortiSIEM version 6.4.3 or above

Business Implications

Due to the nature of this vulnerability and the software it affects it is possible this vulnerability could cripple the security infrastructure of any organization that uses FortiSIEM. A SIEM tool is an essential piece to any successful security team, allowing vision on assets as well as logs of events that occur on said devices which can help with incident response, triage, patching, etc. This would cause immeasurable costs in incident response as well as potential data leakage and modification.

Access Point Technology Recommends

Patch: We recommend following vendor instructions and upgrade your organization’s FortiSIEM instance to a non-vulnerable version in an expediated patching cadence.

Associated Bulletins

https://nvd.nist.gov/vuln/detail/CVE-2023-36553

https://www.fortiguard.com/psirt/FG-IR-23-135