An unpatched vulnerability in the management interface for FortiWeb, Fortinet’s web application firewall, could allow a remote, authenticated attacker to execute arbitrary commands on the system, Rapid7 researcher William Vu has discovered.
Tod Beardsley, Director of Research at Rapid7, says that the good news is that this is not a vulnerability that is easily exploited over the internet.
“It requires access to the web-based management console, which, as near as we can tell, is exceedingly rare. Of the million or so Fortinet devices (not just FortiWeb) that are findable on the open internet, we only see something like 100 to 300 devices that have their management consoles exposed,” he told Help Net Security. “The far more likely attack scenario is a lateral movement from an internal network.”
About the FortiWeb vulnerability
The issue affects version 6.3.11 and prior of the FortiWeb’s management interface, and is an OS command injection vulnerability similar to CVE-2021-22123, which was fixed in June 2021.
“An attacker, who is first authenticated to the management interface of the FortiWeb device, can smuggle commands using backticks in the ‘Name’ field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system,” Beardsley explained.
“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. They might install a persistent shell, crypto mining software, or use the compromised platform to reach into the affected network beyond the DMZ.”
He says that the risk of general exploitation is pretty low, since the attacker must know or guess a valid login credential in order to escalate their privileges to control over the operating system. Still, the flaw could be combined with an authentication bypass vulnerability.
What to do?
“While Fortinet initially acknowledged William Vu’s discovery pretty quickly, and did indicate they’d be working on a patch forthwith, we haven’t had an update since. That said, I would expect a patch to be released in the coming days,” Beardsley noted.
In the meantime, users can disable access to the FortiWeb device’s management interface from untrusted networks (including the internet), or allow access from untrusted networks only via a secure VPN connection.
UPDATE (August 18, 2021, 01:40 a.m. PT):
While lamenting the fact that the vulnerability was disclosed prior to the end of the their own 90-day responsible disclosure window, Fortinet told Help Net Security that they “are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week.”