Information have emerged about a new unpatched security vulnerability in Fortinet’s web software firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute destructive commands on the process.
“An OS command injection vulnerability in FortiWeb’s administration interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the procedure, via the SAML server configuration web page,” cybersecurity business Rapid7 mentioned in an advisory printed Tuesday. “This vulnerability appears to be linked to CVE-2021-22123, which was resolved in FG-IR-20-120.”
Swift7 explained it identified and claimed the issue in June 2021. Fortinet is predicted to launch a patch at the end of August with version Fortiweb 6.4.1.
The command injection flaw is still to be assigned a CVE identifier, but it has a severity ranking of 8.7 on the CVSS scoring technique. Thriving exploitation of the vulnerability can permit authenticated attackers to execute arbitrary commands as the root person on the fundamental system by using the SAML server configuration webpage.
“An attacker can leverage this vulnerability to choose comprehensive command of the affected system, with the best doable privileges,” Rapid7’s Tod Beardsley said. “They may possibly install a persistent shell, crypto mining program, or other destructive program. In the unlikely event the management interface is exposed to the internet, they could use the compromised system to get to into the affected network over and above the DMZ.”
Speedy7 also warns that even though authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, this kind of as CVE-2020-29015. In the interim, consumers are advised to block entry to the FortiWeb device’s administration interface from untrusted networks, together with using ways to avert immediate publicity to the internet.
Even though there is no proof that the new security issue has been exploited in the wild, it’s really worth noting that unpatched Fortinet servers have been a valuable focus on for monetarily determined and condition-sponsored threat actors alike.
Previously this April, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Company (CISA) warned of highly developed persistent threat groups concentrating on Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise devices belonging to federal government and professional entities.
In the identical month, Russian cybersecurity company Kaspersky exposed that menace actors exploited the CVE-2018-13379 vulnerability in FortiGate VPN servers to acquire obtain to organization networks in European international locations to deploy the Cring ransomware.
Found this post exciting? Adhere to THN on Facebook, Twitter and LinkedIn to browse more exceptional material we article.
Some elements of this post are sourced from: