Message-ID: <779c184ee7ae6b1287c174ef17773872@redtimmy.com>
Date: Mon, 05 Oct 2020 20:49:19 +0200
From: Red Timmy Security <publications@...timmy.com>
To: fulldisclosure@...lists.org
Subject: [FD] FortSIEM <= 5.2.8 RCE due to EL Injection - analysis

On June 21st 2020 Fortinet has released a security bulletin for its 
FortiSIEM product: https://www.fortiguard.com/psirt/FG-IR-20-041. All 
versions of the product equal to/minor than 5.2.8 are vulnerable to an 
unauthorized remote command execution via Expression Language injection. 
The affected component, found and reported by Code White guys, is an old 
acquaintance of ours: the infamous java library Richfaces.

7 months ago we have publicly released a working proof of concept named 
Richsploit (https://github.com/redtimmy/Richsploit) aimed to exploit 4 
different Richfaces RCE bugs, including the one mentioned in the 
Fortinet security bulletin.

However, the tool does not work as-is against FortiSIEM <= 5.2.8 as the 
malicious payload requires some modifications in order to produce the 
desired effects. We have fixed that and wrote a post about it.

Also we have been able to identify several vulnerable instances of 
FortiSIEM exposed over the internet, even owned by Fortinet itself. We 
have responsibly reported their presence to the vendor(s).

If you are interest, the most relevant details can be consulted from 
https://www.redtimmy.com/fortinet-siem-vulnerability-allows-us-to-get-rce-on-internet-exposed-hosts/

regards


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists