CVE-2024-23108: 
FortiSIEM vulnerability analysis and mitigation

An improper neutralization of special elements used in an OS command vulnerability (CVE-2024-23108) affects Fortinet FortiSIEM versions ranging from 6.4.0 through 7.1.1. The vulnerability allows remote unauthenticated attackers to execute unauthorized code or commands via crafted API requests (Fortinet Advisory). The vulnerability was discovered by security researcher Zach Hanley of Horizon3.ai and was publicly disclosed in January 2024 (Horizon3 Research).

The vulnerability is a second-order command injection that occurs when certain parameters are sent to datastore.py. The issue exists in the phMonitor service on tcp/7900, which can be exploited by sending a handleStorageRequest message with malicious parameters. The vulnerability has received a Critical severity rating with a CVSS v3.1 base score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) from Fortinet, and 9.8 from NVD (NVD Details).

If exploited, this vulnerability allows attackers to execute unauthorized code or commands with root privileges on affected FortiSIEM systems. The attack can be performed remotely without requiring authentication, potentially leading to complete system compromise (Horizon3 Research).

Fortinet has released patches to address this vulnerability. Organizations should upgrade to FortiSIEM version 7.1.2 or above, version 7.0.3 or above, version 6.7.9 or above, version 6.6.4 or above, version 6.5.3 or above, or version 6.4.4 or above. FortiSIEM versions 7.2 and 7.3 are not affected by this vulnerability (Fortinet Advisory).