Menu
This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.
Category: SQL Injection
The FortiClient solution from Fortinet fails to perform appropriate neutralization of special elements used in an SQL command, leaving it vulnerable to a ‘SQL injection’ vulnerability.
The FcmDaemon.exe file provides the main service responsible for communicating with enrolled clients. It makes connections to FCTDas.exe and listens externally on tcp/8013, so can be used to interact indirectly with FCTDas and make database queries. The code that handles these requests fails to sanitise the FCTUID parameter that is present in many of the FcmDaemon messages, allowing an attacker to manipulate the variable to include SQL statements, triggering a SQL injection attack.
Fortinet has released patches to address this SQL injection vulnerability. Customers are advised to upgrade to the latest version of the impacted product. Upgrade to 7.2.3 or above. Virtual Patch named “FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection” is available in FMWP DB update 27.750.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Malware (Trojan or Embedded Malicious Code)
The malicious code is known to be in version 5.6.0 and 5.6.1 of XZ Utils.
NOTE: Since the compression library is utilised by other software, this constitutes a ‘supply-chain’ attack, meaning that any other software using the library may also be vulnerable.
Malicious code was discovered in the upstream tarballs of XZ Utils, starting with version 5.6.0. On 29 March 2024, a thread was published on Openwall’s oss-security mailing list showing that the code of liblzma was potentially compromised. The thread author identified compressed test files which have been added to the code for setting up a backdoor via additions to the configure script in the tar files. A modified version of build-to-host.m4 was included in the release tar file uploaded on GitHub, which extracts a script that performs the actual injection into liblzma. GitHub has terminated the repository for XZ due to terms of service violation, presumably because of the supply chain attack.
CISA recommends developers and users to downgrade XZ Utils to an uncompromised version – such as XZ Utils 5.4.6 Stable. Vendors including Red Hat advise immediately stopping use of the product until it is remediated.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
