HC3 issues sector alert on FortiSIEM platform vulnerability urges healthcare organizations to prioritize upgrades

The Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) issued on Monday a sector alert warning healthcare and public health organizations of a vulnerability identified by Fortinet in its FortiSIEM platform. The vulnerability enables a hacker to execute commands on the target system, allowing for a potentially wide-scale and impactful cyberattack. 

The agency recommends that healthcare organizations operating FortiSIEM prioritize the upgrade of these platforms promptly. 

“On November 14th, the cybersecurity company Fortinet released an alert for an OS command injection vulnerability in versions 4.7 through 5.4 of their FortiSIEM platform,” HC3 said in its latest sector alert. “Fortinet describes this system as a unified event correlation and risk management platform that uses machine learning to detect unusual user and entity behavior without requiring the administrator to write complex rules.” 

It also identified that the “platform is used in the HPH sector, as it has capabilities tailored for health-related applications. This vulnerability is tracked as CVE-2023-36553 (and tracked as FG-IR-23-135 by Fortinet) and if exploited, it can allow a remote, unauthenticated attacker to use crafted API requests to execute unauthorized code or commands.” 

The HC3 sector alert recognizes that as of the release of this report, “this vulnerability is not known to be actively exploited in the wild. However, this is subject to change at any time.”

In a company advisory, Fortinet identified that an improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in the FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests. “This vulnerability was internally discovered as a variant of FG-IR-23-130,” it added.

Affected products cover all versions of FortiSIEM 5.4, FortiSIEM 5.3, FortiSIEM 5.2, FortiSIEM 5.1, FortiSIEM 5.0, FortiSIEM 4.10, FortiSIEM 4.9, and FortiSIEM 4.7. 

The HC3 disclosed that there are no known mitigations or workarounds. “In order to patch this vulnerability, the FortiSIEM platform must be upgraded in accordance with the instructions in the alert. HC3 recommends that all healthcare organizations operating FortiSIEM prioritize the upgrade of these platforms in a timely manner,” it added. 

Earlier this month, the HC3 released an analyst note regarding a relatively new ransomware group called BlackSuit. The strain bears notable resemblances to the Royal ransomware family and is expected to pose a credible threat to the healthcare and public health sector.

In light of the rising threats and attacks on the healthcare sector, the U.S. Food and Drug Administration (FDA) partnered with non-profit organization MITRE to create a white paper addressing the challenges posed by legacy medical devices in the healthcare sector. These devices continue to function but may be susceptible to cybersecurity risks. 

The FDA-MITRE document expands on previous work and offers near-term solutions, guiding how to implement key recommendations. It also takes into account the specific needs of less-resourced healthcare delivery organizations (HDOs), including rural providers and safety-net hospitals.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.