CVE-2024-48892
📋 TL;DR
A relative path traversal vulnerability in FortiSOAR allows authenticated attackers to read arbitrary files by uploading malicious solution packs. This affects FortiSOAR versions 7.3.x, 7.4.x, 7.5.0-7.5.1, and 7.6.0. Attackers must have valid credentials to exploit this vulnerability.
💻 Affected Systems
- FortiSOAR
📦 What is this software?
Fortisoar by Fortinet
Fortisoar by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could read sensitive system files, configuration files, or credential files, potentially leading to privilege escalation or lateral movement.
Likely Case
Attackers with legitimate credentials could exfiltrate configuration data, API keys, or other sensitive information stored in accessible files.
If Mitigated
With proper access controls and monitoring, impact would be limited to files accessible by the FortiSOAR service account.
🎯 Exploit Status
Requires authenticated access and ability to upload solution packs. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiSOAR 7.6.1 or later, 7.5.2 or later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-421
Restart Required: No
Instructions:
1. Backup your FortiSOAR configuration and data. 2. Upgrade to FortiSOAR 7.6.1 or later, or 7.5.2 or later. 3. Verify the upgrade completed successfully. 4. Test solution pack functionality after upgrade.
🔧 Temporary Workarounds
Restrict Solution Pack Uploads
allTemporarily disable or restrict solution pack upload functionality to authenticated users who absolutely require it.
Enhanced Authentication Controls
allImplement multi-factor authentication and review user accounts with solution pack upload privileges.
🧯 If You Can't Patch
- Implement strict access controls on solution pack upload functionality
- Monitor file access logs for unusual patterns and implement file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check FortiSOAR version via admin interface or CLI. If version is 7.3.x, 7.4.x, 7.5.0-7.5.1, or 7.6.0, system is vulnerable.Check Version:
Check via FortiSOAR web interface under System Settings > About, or use FortiSOAR CLI if available.Verify Fix Applied:
Verify FortiSOAR version is 7.6.1 or later, or 7.5.2 or later. Test solution pack upload functionality to ensure it still works but path traversal is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual solution pack uploads
- File access patterns outside expected directories
- Multiple failed upload attempts followed by successful upload
Network Indicators:
- Large file uploads to solution pack endpoints
- Unusual outbound data transfers following uploads
SIEM Query:
source="fortisoar" AND (event="solution_pack_upload" OR event="file_access") AND (path="../" OR path="..\\")