FOCUS FRIDAY: A TPRM Deep Dive into Outlook RCE and FortiClient EMS Vulnerabilities
Written by: Emily Conlin
Written by: Ferhat Dikbiyik
Additional Contributions: Ferdi Gül
Welcome to this week’s edition of Focus Friday, where we zero in on the cybersecurity battlefield through the lens of Third-Party Risk Management (TPRM). This series is dedicated to uncovering and understanding high-profile cyber incidents that pose significant risks to organizations worldwide. Today, we’re dissecting two critical vulnerabilities that have made headlines: the Remote Code Execution (RCE) vulnerability in Microsoft Outlook (CVE-2024-21378) and the SQL Injection vulnerability in Fortinet’s FortiClient EMS (CVE-2023-48788).
These vulnerabilities underscore the ever-present threat landscape businesses navigate and highlight the importance of proactive TPRM strategies. Join us as we delve into the specifics of these vulnerabilities, their implications for TPRM, and how Black Kite’s Focus Tags™ can be instrumental in managing these risks effectively.
CVE-2023-48788: Critical SQL Injection in FortiClient EMS
What is CVE-2023-48788?
CVE-2023-48788 is identified as a critical SQL injection vulnerability found within Fortinet’s FortiClient Endpoint Management Server (EMS). This flaw permits attackers to execute unauthorized commands or code remotely on the administrator’s workstation without requiring authentication. The severity of this vulnerability is underscored by a CVSS v3 base score of 9.8, indicating its critical nature due to its potential for high impact on confidentiality, integrity, and availability of the affected systems.
The vulnerability affects versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10 of the FortiClientEMS software. Fortinet has released patches for this vulnerability, recommending an upgrade to versions 7.2.3 or above and 7.0.11 or above to mitigate the risk.
Why Should TPRM Professionals Care?
This vulnerability presents a significant risk for any organization using the affected versions of FortiClient EMS due to the potential for unauthorized access and control over system files and data, password theft, and execution of arbitrary code. For TPRM professionals, understanding the exposure and ensuring that vendors apply the necessary patches is crucial to safeguarding sensitive information and maintaining the integrity of their networks.
What Questions Should TPRM Professionals Ask?
Given the critical nature of CVE-2023-48788, TPRM professionals should focus on specific queries:
Have you identified and patched all instances of FortiClient EMS affected by CVE-2023-48788 in your network?
Can you provide documentation or evidence of the patch application for the affected versions?
What measures do you have in place to detect SQL injection attempts and other unauthorized activities?
How do you ensure continuous monitoring and rapid response to future vulnerabilities identified in FortiClient EMS or other critical systems?
Remediation Recommendations for Vendors
To mitigate the risk associated with CVE-2023-48788, vendors should:
Immediately update to the latest patched versions of FortiClient EMS (7.2.3 or above, 7.0.11 or above).
Implement robust network monitoring and intrusion detection systems to spot potential exploitation attempts.
Conduct regular security assessments to identify and remediate vulnerabilities in a timely manner.
Educate staff on the importance of applying security updates and patches to prevent exploitation.
Leveraging Black Kite for CVE-2023-48788
Black Kite’s focus tag for CVE-2023-48788, published on March 14, 2024, empowers TPRM professionals with critical information regarding the vulnerability’s impact and affected assets. By identifying vendors using vulnerable versions of FortiClient EMS, TPRM professionals can prioritize their risk management efforts and ensure timely remediation steps are taken.
This focus on actionable intelligence highlights the value of Black Kite’s platform in streamlining the TPRM process, providing a clear pathway for operationalizing vulnerability management in response to emerging threats.
CVE-2024-21378: Critical RCE in Microsoft Outlook
What is CVE-2024-21378?
CVE-2024-21378 is a critical Remote Code Execution (RCE) vulnerability affecting Microsoft Outlook, allowing authenticated attackers to execute arbitrary code after authentication. This vulnerability poses a high risk, with a CVSS score of 8.0, indicating its severe impact on confidentiality, integrity, and availability. The EPSS score of 0.06% suggests a relatively low probability of exploitation in the near term, yet its exploitation could lead to access to sensitive information, system compromise, malware distribution, or data manipulation and destruction.
First identified and patched by Microsoft in February 2024, this vulnerability has drawn attention due to its potential exploitation by cyber espionage groups, similar to those previously associated with APT40, indicating a high risk of targeted attacks. Despite its critical nature, as of now, it hasn’t been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, nor has there been a specific advisory from CISA regarding this issue.
Why Should TPRM Professionals Care?
Given the widespread use of Outlook in business environments, this vulnerability presents a significant risk, especially for organizations relying heavily on email communication. The potential for compromised email systems to expose sensitive information or to be used in phishing campaigns makes it a pressing concern for Third-Party Risk Management (TPRM) professionals. The risk is particularly acute for organizations with vendors who may not have applied the necessary patches, thereby exposing them to data breaches or further network penetration.
What Questions Should TPRM Professionals Ask?
TPRM professionals should engage vendors with targeted questions, such as:
- Have you applied the specific security update released by Microsoft on February 13, 2024, to address the CVE-2024-21378 vulnerability in Microsoft Outlook?
- What specific security controls and monitoring practices have you implemented to detect and prevent exploitation attempts targeting CVE-2024-21378, such as unauthorized registry modifications or suspicious COM object creations?
- In the event of a detected exploitation attempt of CVE-2024-21378, what is your incident response protocol, especially regarding containment and eradication of malicious payloads delivered through this vulnerability?
- How have you educated your staff about the risks associated with CVE-2024-21378, including the potential for phishing attacks leveraging this vulnerability, and what measures are in place to encourage safe email practices?
Remediation Recommendations for Vendors
Vendors are urged to:
- Apply the February 2024 Security Update from Microsoft promptly.
- Enforce strong passwords and two-factor authentication for Exchange Server accounts.
- Regularly monitor products for signs of suspicious activity.
- Educate users on the importance of not interacting with suspicious emails and reporting them.
Leveraging Black Kite for CVE-2024-21378
Black Kite published the focus tag for CVE-2024-21378 on March 11, 2024, offering critical insights into the vulnerability’s impact and scope. TPRM professionals can utilize Black Kite’s platform to identify potentially affected vendors, focusing on those with vulnerable Outlook configurations. By leveraging the detailed asset information provided, such as IP addresses and subdomains at risk, organizations can prioritize their response efforts, reducing the time and resources spent on vendor assessments.
This proactive approach enables a more efficient and effective response to emerging threats, emphasizing the importance of targeted intelligence in managing third-party risks.
Enhancing TPRM with Strategic Insights from Black Kite’s Focus Tags™
In the realm of Third-Party Risk Management, staying one step ahead of cyber threats is not just a goal—it’s a necessity. Black Kite’s Focus Tags™ emerge as a critical ally in this ongoing battle, offering unparalleled insights into the cybersecurity challenges of today and tomorrow. This week’s spotlight on the Outlook RCE and FortiClient EMS vulnerabilities illustrates the agility and depth of intelligence that Focus Tags™ bring to TPRM professionals.
Here’s why Focus Tags™ are indispensable in the current threat landscape:
- Tailored Vulnerability Alerts: With Focus Tags™, the immediacy of information on vulnerabilities like Outlook RCE and FortiClient EMS transforms TPRM from reactive to proactive, ensuring that organizations can respond to threats before they escalate.
- Risk Prioritization: These tags don’t just identify threats; they help TPRM professionals weigh the severity of vulnerabilities against the criticality of the affected vendors, streamlining resource allocation and remediation efforts.
- Vendor-Specific Insights: By providing actionable intelligence on how specific vulnerabilities impact vendors, Focus Tags™ facilitate nuanced conversations that go beyond generic security assessments, fostering stronger, security-focused partnerships.
- Comprehensive Security Enhancement: Beyond individual vulnerabilities, Focus Tags™ offer a macro view of the threat environment, aiding in the development of robust cybersecurity frameworks that anticipate and mitigate diverse threats.
By shedding light on the intricate dynamics of vulnerabilities like those in Microsoft Outlook and FortiClient EMS, Black Kite’s Focus Tags™ not only guide TPRM professionals through the complexities of the digital age but also arm them with the knowledge to make informed, strategic decisions. In a world where cyber threats evolve daily, these insights are not just valuable—they’re essential for safeguarding the future of business operations.
Want to take a closer look at Focus Tags™?
Take our platform for a test drive and request a demo today.
Focus Tags™ in the last 30 days:
- FortiClient EMS: CVE-2023-48788, SQL Injection Vulnerability in Fortinet’s FortiClient Endpoint Management Server
- FortiOS SSL VPN: CVE-2024-21762, A Out-of-Bounds Write Vulnerability in FortiOS [Tag updated]
- Outlook RCE: CVE-2023-36439, RCE Vulnerability in Microsoft Exchange Server
- Change Healthcare Client
- JetBrains TeamCity: CVE-2023-42793, Authentication Bypass in JetBrains TeamCity CI/CD Servers; CVE-2024-27198, Authentication Bypass Vulnerability [Tag Updated]
- ScreenConnect:CVE-2024-1709, Authentication Bypass Vulnerability
- Cisco ASA [Suspected]CVE-2020-3259, Information Disclosure Vulnerability
- Exchange Server:CVE-2024-21410,Privilege Elevation Vulnerability
- QNAP QTS:CVE-2023-47218, CVE-2023-50358, OS Command Injection Vulnerability
- Symantec MG [Suspected]:CVE-2024-23615, CVE-2024-23614, Buffer Overflow Vulnerability (Remote Code Execution)
- FortiOS SSL VPN [Suspected]:CVE-2024-22024, An Out-of-Bounds Write Vulnerability
- RoundCube [Suspected] :CVE-2023-43770, Stored-XSS Vulnerability [Updated]
- Citrix ADC/Gateway:CVE-2023-6549 [Updated], Buffer Overflow Vulnerability
- Ivanti EPMM:CVE-2023-35082 [Updated], Authentication Bypass Vulnerability
- GoAnywhere [Suspected]:CVE-2024-0204, Authentication Bypass Vulnerability
- Redis RCE: CVE-2023-41056, Remote Code Execution Vulnerability
- Ivanti ICS: CVE-2024-21887, Command Injection Vulnerability, CVE-2023-46805, Authentication Bypass Vulnerability
- Cacti SQLi: CVE-2023-51448, Blind SQL Injection (SQLi) Vulnerability
References:
- https://fortiguard.fortinet.com/psirt/FG-IR-24-007
- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-bug-in-endpoint-management-software/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21378
- https://socprime.com/blog/cve-2024-21378-detection-vulnerability-in-microsoft-outlook-leads-to-authenticated-remote-code-execution/