An unpatched security flaw has been discovered in Fortinet’s WAF (Web Application Firewall). This vulnerability can be exploited by remote attackers to execute malicious commands.
About The Vulnerability
An OS command injection vulnerability in FortiWeb’s management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page,” said Rapid7, a cybersecurity firm, in an advisory that was published on Tuesday. “This vulnerability appears to be related to CVE-2021-22123, which was addressed in FG-IR-20-120.”
The discovery was made in June 2021. The patch is expected to be released in August 2021 with Fortiweb version 6.4.1.
What Can The Attackers Do?
This vulnerability has not yet been assigned to a CVE identifier but it still scores 8.7 on the CVSS scoreboard. Proper exploitation of the vulnerability will allow the attacker to execute commands impersonating as the primary user on the system via SAML server configuration pages.
“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,” as said by Tod Beardsley of Rapid7. “They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event, the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.”
For the attackers to successfully exploit the flaw, authentication is required, said Rapid7. However, the attackers can use authentication bypass flaws like CVE-2020-29015. For the time being, the customers are requested to block access to untrustworthy networks from Fortiweb’s device’s management interface. Direct exposure of the device to the internet should also be prevented.
Final Notes
No evidence has yet been discovered of the security vulnerability being exploited. However, it must be kept in mind that unpatched Fortinet servers have been targeted by attackers in the past.
In April, the FBI and CISA have warned against groups of threat actors targeting Fortinet FortiOS servers. This is done by making use of CVE-2020-12812, CVE-2019-5591, and CVE-2018-13379 to attack commercial as well as government entities.
Also in April, Kaspersky discovered that the attackers have been exploiting the CVE-2018-13379 flaw in FortiGate VPN servers for gaining access to networks owned by Europen enterprises to deploy Cring ransomware.