CVE-2023-48790
📋 TL;DR
This CSRF vulnerability in Fortinet FortiNDR allows remote unauthenticated attackers to execute unauthorized actions via crafted HTTP GET requests. It affects FortiNDR versions 7.4.0, 7.2.0-7.2.1, 7.1.0-7.1.1, and before 7.0.5. Attackers can trick authenticated users into performing unintended actions on the FortiNDR interface.
💻 Affected Systems
- Fortinet FortiNDR
📦 What is this software?
Fortindr by Fortinet
Fortindr by Fortinet
Fortindr by Fortinet
Fortindr by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of FortiNDR system allowing attacker to modify configurations, disable security controls, or exfiltrate sensitive network detection data.
Likely Case
Unauthorized configuration changes, policy modifications, or disabling of security monitoring capabilities.
If Mitigated
Limited impact with proper CSRF protections and network segmentation in place.
🎯 Exploit Status
Requires social engineering to trick authenticated users into visiting malicious sites. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.1, 7.2.2, 7.1.2, 7.0.5 and later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-23-353
Restart Required: No
Instructions:
1. Log into FortiNDR admin interface. 2. Navigate to System > Dashboard. 3. Check for available updates. 4. Apply the appropriate patch version for your deployment. 5. Verify the update completes successfully.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd anti-CSRF tokens to all state-changing requests if custom web interfaces exist.
SameSite Cookie Attributes
allConfigure session cookies with SameSite=Strict or SameSite=Lax attributes.
🧯 If You Can't Patch
- Implement network segmentation to isolate FortiNDR management interface from user networks.
- Use web application firewalls (WAF) with CSRF protection rules and monitor for suspicious GET requests.
🔍 How to Verify
Check if Vulnerable:
Check FortiNDR version via admin interface: System > Dashboard > System Information. Compare against affected versions.Check Version:
show system status (via CLI) or check System Information in web interfaceVerify Fix Applied:
Verify version is 7.4.1, 7.2.2, 7.1.2, 7.0.5 or later. Test CSRF protection by attempting to submit forms without proper tokens.📡 Detection & Monitoring
Log Indicators:
- Unusual configuration changes from unexpected IP addresses
- Multiple failed CSRF token validations
- Suspicious GET requests to administrative endpoints
Network Indicators:
- HTTP GET requests to FortiNDR admin endpoints with unexpected referer headers
- Requests lacking CSRF tokens to state-changing endpoints
SIEM Query:
source="fortindr" AND (http_method="GET" AND uri CONTAINS "/api/" OR uri CONTAINS "/admin/") AND NOT user_agent CONTAINS "browser"