- Red plus Blue makes Purple!/
- Active Vulnerability List/
- 2023/
- CVE-2023-48788 | FortinetClientEMS | RCE/
CVE-2023-48788 | FortinetClientEMS | RCE
| Vulnerability | CVE-2023-48788 |
|---|---|
| Type | Allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. |
| Description | During a recent incident response activity, we uncovered how adversaries exploited a newly discovered Fortinet vulnerability to infiltrate an enterprise’s infrastructure. This vulnerability is an improper filtering of input in a SQL command, thus leading to a SQL injection. It specifically affects Fortinet FortiClientEMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. If successfully exploited, attackers can execute unauthorized code or commands by sending specially crafted packets. FortiClient EMS is used as an endpoint management solution tailored for enterprises, offering a centralized platform for overseeing enrolled endpoints. According to Packet Storm: “The SQL injection vulnerability is due to user controller strings which can be sent directly into database queries. FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default, it listens on port 8013 and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database. In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable to SQL injection. It can be used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code execution in the context of NT AUTHORITY\SYSTEM.” The affected system was a Windows server exposed to the Internet with only two ports open: - FORTINET_FCM 8013/TCP - HTTP 10443/TCP The user employs this technology to allow employees to download specific policies to their business devices, granting them secure access to the Fortinet VPN. |
| How to detect possible infections | In October 2024, our MDR technology revealed attempts by an internal source IP address to access Registry hives using an admin account on a customer’s Windows server. These attempts also targeted administrative shares, including those such as: - \\192.168.X.X\C$\Users- \\192.168.X.X\C$\ยท- \\192.168.X.X\IPC$\srvsvc- \\192.168.X.X\IPC$\svcctl- \\192.168.X.X\IPC$\winreg- \\192.168.X.X\ADMIN$\SYSTEM32\WqgLtykM.tmp- \\192.168.X.X\C$\Windows\System32\Microsoft\Protect\DPAPI Master Keys- \\192.168.X.X\C$\Windows\System32\Microsoft\Protect\User Keys- \\192.168.X.X\C$\Windows\System32\Microsoft\Protect\Protected CredentialsThe last three accesses were apparently made because the attacker wanted to obtain some credentials. Locally, there were some attempts to dump the HKLM\SAM and HKLM\SECURITY registry hives using the following command:C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistryThe output of the dump attempts was to the following temporary files on the local system; however, they failed: - C:\Windows\System32\WqgLtykM.tmp- C:\Windows\System32\UaXPfRrM.tmp- C:\Windows\System32\ZzwaYNIw.tmp- C:\Windows\System32\kqjYWWnh.tmpWe also observed multiple failed login attempts from the same internal IP address on multiple hosts using an ADMINISTRATOR account, so we decided to request isolation and perform evidence acquisition for further investigation. It’s important to note that the brute force attacks were detected and successfully blocked by our MDR system. |
| Adversaries’ traces | Our MDR technology revealed that the attacker has been targeting other companies and consistently altering the ScreenConnect subdomains, seemingly changing them regardless of the specific target: - 2024.07.28 18:27:42 trembly.screenconnect[.]com- 2024.07.28 21:54:37 trembly.screenconnect[.]com- 2024.08.22 14:50:15 corsmich.screenconnect[.]com- 2024.08.30 19:56:15 myleka.screenconnect[.]com- 2024.09.29 19:41:11 kle.screenconnect[.]com- 2024.10.06 00:32:13 infinity.screenconnect[.]com- 2024.10.11 22:46:19 infinity.screenconnect[.]com |
| IoCs | Hashes - 8cfd968741a7c8ec2dcbe0f5333674025e6be1dc - 441a52f0112da187244eeec5b24a79f40cc17d47 - 746710470586076bb0757e0b3875de9c90202be2 - bc29888042d03fe0ffb57fc116585e992a4fdb9b - 73f8e5c17b49b9f2703fed59cc2be77239e904f7 - 841fff3a36d82c14b044da26967eb2a8f61175a8 - 34162aaf41c08f0de2f888728b7f4dc2a43b50ec - cf1ca6c7f818e72454c923fea7824a8f6930cb08 - e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69 - 59e1322440b4601d614277fe9092902b6ca471c2 - 75ebd5bab5e2707d4533579a34d983b65af5ec7f - 83cff3719c7799a3e27a567042e861106f33bb19 - 44b83dd83d189f19e54700a288035be8aa7c8672 - 8834f7ab3d4aa5fb14d851c7790e1a6812ea4ca8 |
| Domains | - infinity.screenconnect[.]com - kle.screenconnect[.]com - trembly.screenconnect[.]com - corsmich.screenconnect[.]com - *.screenconnect[.]com |
| IPs | - 45.141.84[.]45 |
| References | - https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-revisiting-fortinet-forticlient-ems-to-exploit-7-2-x/ - https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/ - https://www.rapid7.com/db/modules/exploit/windows/http/forticlient_ems_fctid_sqli/ - [https://packetstormsecurity.com/files/178230/FortiNet-FortiClient-EMS-7.2.2-7.0.10 |