Fortinet FortiSIEM OS Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in Fortinet FortiSIEM versions 7.3.0 to 7.3.1, 7.2.0 to 7.2.5, 7.1.0 to 7.1.7, 7.0.0 to 7.0.3, and prior to 6.7.9. This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the operating system by sending crafted CLI requests. The issue arises from improper sanitization of input in the 'phMonitor' process, which handles storage archive requests. Exploitation of this vulnerability could lead to a complete takeover of the affected system.

Impact

Successful exploitation allows for unauthorized command execution on the FortiSIEM host, with potential for full system compromise.

Reproduction

To reproduce this vulnerability, send a CLI request to the 'phMonitor' process on port 7900, including an XML payload that specifies 'nfs' as the storage type, along with a valid NFS server IP and directory. The 'scope' element must be set to 'local'. The 'archive_nfs_archive_dir' can be used to inject commands, which will be executed on the system.

Remediation

Users are advised to upgrade FortiSIEM to version 7.3.2 or above, 7.2.6 or above, 7.1.8 or above, 7.0.4 or above, or 6.7.10 or above, depending on their current version. For FortiSIEM versions 6.6, 6.5, 6.4, 6.3, 6.2, 6.1, and 5.4, users should migrate to a fixed release.