CVE-2023-23775
📋 TL;DR
This CVE describes SQL injection vulnerabilities in FortiSOAR that allow authenticated attackers to execute unauthorized SQL commands via crafted string parameters. Affected systems include FortiSOAR versions 7.2.0 and earlier than 7.0.3. The vulnerability requires authentication but could lead to data manipulation or unauthorized code execution.
💻 Affected Systems
- FortiSOAR
📦 What is this software?
Fortisoar by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker gains full database access, executes arbitrary SQL commands, potentially leading to data exfiltration, system compromise, or lateral movement within the network.
Likely Case
Authenticated user exploits SQL injection to access or modify sensitive data, escalate privileges, or execute limited commands within database context.
If Mitigated
With proper input validation and parameterized queries, exploitation attempts are blocked at the application layer with no impact.
🎯 Exploit Status
Exploitation requires authenticated access but SQL injection techniques are well-understood and widely available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiSOAR 7.0.3 and later versions
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-22-448
Restart Required: Yes
Instructions:
1. Backup FortiSOAR configuration and data. 2. Download and install FortiSOAR version 7.0.3 or later from Fortinet support portal. 3. Apply the update following Fortinet's upgrade documentation. 4. Restart FortiSOAR services. 5. Verify functionality post-upgrade.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and sanitization for all string parameters in custom workflows and integrations.
Network Segmentation
allRestrict network access to FortiSOAR management interfaces to authorized users only.
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection protection rules
- Restrict user permissions to minimum required and monitor for suspicious database queries
🔍 How to Verify
Check if Vulnerable:
Check FortiSOAR version via web interface or CLI. If version is 7.2.0 or earlier than 7.0.3, system is vulnerable.Check Version:
Check via FortiSOAR web interface under System > About, or use FortiSOAR CLI if available.Verify Fix Applied:
Verify FortiSOAR version is 7.0.3 or later. Test vulnerable endpoints with SQL injection payloads to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by SQL-like payloads in application logs
- Unexpected database schema changes
Network Indicators:
- SQL keywords in HTTP POST parameters to FortiSOAR endpoints
- Unusual database connection patterns from FortiSOAR application
SIEM Query:
source="fortisoar" AND ("SELECT" OR "UNION" OR "INSERT" OR "UPDATE" OR "DELETE" OR "DROP" OR "EXEC") IN request_parameters