Full Report
Fortinet security advisory (AV26-568)
Analysis Summary
# Vulnerability: Second-Order OS Command Injection in FortiSandbox
## CVE Details
- **CVE ID**: CVE-2024-36521 (Identified via internal Fortinet reference FG-IR-26-141)
- **CVSS Score**: 9.4 (Critical)
- **CWE**: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
## Affected Systems
- **Products**: FortiSandbox (Physical/Virtual), FortiSandbox Cloud, FortiSandbox PaaS
- **Versions**:
- FortiSandbox 5.0: 5.0.0 through 5.0.5
- FortiSandbox 4.4: 4.4.0 through 4.4.8
- FortiSandbox Cloud 5.0: 5.0.4 through 5.0.5
- FortiSandbox PaaS 5.0: 5.0.4 through 5.0.5
- **Configurations**: Systems utilizing the "start vnc" feature.
## Vulnerability Description
A second-order OS command injection vulnerability exists in the FortiSandbox "start vnc" feature. The flaw is triggered via specifically crafted JSON input. Because it is "second-order," the malicious payload is first stored by the application and subsequently executed by a different process or at a later time when the VNC feature processes that stored input without proper sanitization. This allows an authenticated attacker with sufficient privileges to execute arbitrary commands on the underlying operating system.
## Exploitation
- **Status**: Not currently reported as exploited in the wild; No public PoC available at time of advisory.
- **Complexity**: Low
- **Attack Vector**: Network
## Impact
- **Confidentiality**: High (Full access to system files and data)
- **Integrity**: High (Ability to modify system configurations and application logic)
- **Availability**: High (Potential for complete system shutdown or denial of service)
## Remediation
### Patches
Fortinet recommends upgrading to the following versions:
- **FortiSandbox 5.0**: Upgrade to version 5.0.6 or higher.
- **FortiSandbox 4.4**: Upgrade to version 4.4.9 or higher.
- **FortiSandbox Cloud 5.0**: Upgrade to version 5.0.6 or higher.
- **FortiSandbox PaaS 5.0**: Upgrade to version 5.0.6 or higher.
### Workarounds
- **Disable VNC**: If the VNC feature is not required for daily operations, disabling VNC access can mitigate the specific attack vector.
- **Restrict Access**: Ensure that administrative access to the FortiSandbox management interface is restricted to trusted internal networks and authorized personnel only.
## Detection
- **Indicators of Compromise**: Monitor system logs for unusual shell commands or unexpected outbound connections originating from the FortiSandbox appliance.
- **Detection Methods**: Audit JSON logs for entries containing shell metacharacters (e.g., `;`, `&`, `|`, `` ` ``, `$()`) especially those related to VNC configuration or session startup.
## References
- [Fortinet PSIRT Advisory FG-IR-26-141] hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-141
- [Canadian Centre for Cyber Security Advisory AV26-568] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/fortinet-security-advisory-av26-568
- [Fortinet General Advisories] hxxps[://]www[.]fortiguard[.]com/psirt