The OS command-injection bug, in the web application firewall (WAF) system regarded as FortiWeb, will get a patch at the conclusion of the month.
An unpatched OS command-injection security vulnerability has been disclosed in Fortinet’s web software firewall (WAF) system, identified as FortiWeb. It could permit privilege escalation and whole product takeover, scientists stated.
FortiWeb is a cybersecurity defense system, aimed at protecting business-critical web apps from attacks that concentrate on regarded and unknown vulnerabilities. The firewall has been to retain up with the deployment of new or up to date features, or the addition of new web APIs, in accordance to Fortinet.
The bug (CVE pending) exists in FortiWeb’s administration interface (model 6.3.11 and prior), and carries a CVSSv3 base rating of 8.7 out of 10, generating it high-severity. It can allow a remote, authenticated attacker to execute arbitrary instructions on the method, through the SAML server configuration page, in accordance to Quick7 researcher William Vu who identified the bug.
“Note that when authentication is a prerequisite for this exploit, this vulnerability could be combined with a further authentication-bypass issue, these kinds of as CVE-2020-29015,” according to a Tuesday writeup on the issue.
After attackers are authenticated to the management interface of the FortiWeb device, they can smuggle instructions applying backticks in the “Name” industry of the SAML Server configuration web page. These commands are then executed as the root person of the fundamental running method.
“An attacker can leverage this vulnerability to consider full manage of the afflicted gadget, with the greatest attainable privileges,” in accordance to the writeup. “They could install a persistent shell, crypto mining application, or other malicious program.”
The destruction could be worse if the administration interface is uncovered to the internet: Rapid7 famous that attackers could pivot to the broader network in that scenario. On the other hand, Fast7 researchers discovered fewer than three hundred appliances that appeared to be doing so.
In the evaluation, Vu presented a evidence-of-thought exploit code, which utilizes an HTTP Article ask for and reaction.
Fortinet plans to launch a correct for the problem with FortiWeb 6.4.1, which will be produced at the stop of August, it stated.
“In the absence of a patch, buyers are advised to disable the FortiWeb device’s management interface from untrusted networks, which would contain the internet,” in accordance to Swift7. “Generally speaking, management interfaces for devices like FortiWeb must not be uncovered immediately to the internet anyway — as an alternative, they must be reachable only by way of trustworthy, internal networks, or around a protected VPN relationship.”
The researchers explained that the vulnerability seems to be relevant to CVE-2021-22123, which was patched in June.
Fortinet: Preferred for Exploit
The vendor is no stranger to cybersecurity bugs in its platforms. And, Fortinet’s cybersecurity products are well known as exploitation avenues with cyberattackers, together with country-state actors.
In April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that several advanced persistent threats (APTs) ended up actively exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage. Exploits for CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812 had been becoming utilised for to attain a foothold inside of networks just before shifting laterally and carrying out recon, they warned.
One particular of all those bugs, a Fortinet vulnerability in FortiOS, was also witnessed becoming used to deliver a new ransomware strain, dubbed Cring, that is targeting industrial enterprises throughout Europe.
Threatpost has reached out to Fortinet for remark.
Some parts of this write-up are sourced from: