CVE-2023-42788: 
Fortinet FortiManager vulnerability analysis and mitigation

An OS Command Injection vulnerability (CVE-2023-42788) was discovered in FortiManager, FortiAnalyzer & FortiAnalyzer-BigData products. The vulnerability was identified in multiple versions of these products, including versions 6.2.0 through 7.4.0, and was disclosed on October 10, 2023. This security flaw allows a local attacker with low privileges to execute unauthorized code through specifically crafted arguments to a CLI command (Fortiguard PSIRT, NVD).

The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command Injection). It received a CVSS v3.1 base score of 7.6 (High) from Fortinet and 6.7 (Medium) from NIST. The vulnerability stems from improper sanitization of parameters in certain diagnose commands that allow administrators to export files to external FTP/SFTP servers. The injection is possible through parameters passed to the underlying tar command, specifically the --checkpoint and --checkpoint-action parameters can be abused to obtain root access (Github Advisory).

The successful exploitation of this vulnerability allows attackers to spawn an interactive shell on the affected device with root privileges. Since all processes run with root privileges, including scripts and binaries handling user inputs, attackers can gain complete control over the affected system (Github Advisory).

Fortinet has released patches for affected versions. Users should upgrade to the following versions: FortiAnalyzer 7.4.1 or above, 7.2.4 or above, 7.0.9 or above, 6.4.13 or above, or 6.2.12 or above. For FortiAnalyzer-BigData, users should upgrade to version 7.2.6 or above, or migrate to a fixed release for versions 7.0, 6.4, and 6.2. FortiManager users should upgrade to versions 7.4.1 or above, 7.2.4 or above, 7.0.9 or above, 6.4.13 or above, or 6.2.12 or above (Fortiguard PSIRT).