Zero-Day Flaw Found in Fortinets FortiWeb WAF Technology

  /     /     /  
Publicated : 23/11/2024   Category : security


Zero-Day Flaw Found in Fortinets FortiWeb WAF Technology


Vendor says it plans to have a patch for the vulnerability by this weekend.



Researchers at Rapid7 today disclosed a critical zero-day vulnerability in Fortinets FortiWeb Web application firewall (WAF) technology that attackers can exploit to gain complete control of affected devices.
The OS
command injection vulnerability
 — a flaw that allows attackers to execute commands on the host operating system — exists in versions 6.3.11 and prior of FortiWebs Web management interface.
An attacker with authenticated access to the interface can abuse the flaw to execute a variety of actions with the highest possible privileges on the system, including installing a persistent shell and deploying crypto-mining software or other malware. In situations where an organization might have exposed the management interface to the Internet, an attacker could abuse the flaw to breach the network beyond the DMZ, Rapid7 warns.
No patch is currently available for the flaw. Rapid7 recommends that organizations using vulnerable versions of the technology disable the device management interface from all untrusted networks, including the Internet, and make sure it is reachable only via VPN or through trusted internal networks.
Tod Beardsley, director of research at Rapid7, says the company publicly released details of the zero-day flaw in accordance with its policies for responsible disclosure. 
We tend to stick to a 60-day minimum for disclosing issues, Beardsley says. Unfortunately, we hadnt heard back from Fortinet after 66 days or so. Shortly after the flaw was disclosed, he says, Fortinet indicated it would release a fix by the end of August.
A spokeswoman from Fortinet says the company is working on immediate notification of a workaround for customers and plans to have a patch as soon as the end of this week. Fortinets own policies when dealing with vulnerability disclosures by third-party security researchers stipulates a 90-day responsible disclosure window, she says. 
We regret that in this instance individual research was fully disclosed without adequate notification prior to the 90-day window, the spokeswoman says.
According to Rapid7
, the newly disclosed flaw appears related to another OS command injection flaw (
CVE-2021-22123
) that Fortinet patched on June 1. As with the new flaw, the previous issue also gave remote authenticated attackers a way to execute arbitrary commands on impacted systems via the SAML server configuration page.
The flaw disclosed this week allows an authenticated attacker to smuggle malicious commands on an impacted device using
backtick
 — or command substitution — symbols in the Name field of the SAML Server configuration page. In programming, any command that is placed between a pair of backticks is executed first by the shell, and the output is then used as part of the actual or main command. Rapid7 included an exploit of the vulnerability to demonstrate how it works.
Beardsley says the new flaw in FortiWebs management interface is a post-authentication flaw, which means attackers need to have some level of previous access to the device to exploit it. 
But the vulnerability itself allows an authenticated Web application user to promote themselves to root-level access on the host operating system, he notes. This grants the attacker significantly better access to more than just FortiWeb. They can control the underlying operating system directly, so that opens the door to installing other, malicious applications on the device.
In addition, the vulnerability could also be combined with other vulnerabilities, such as
CVE-2020-29015
, a blind SQL injection flaw in the user interface of some versions of FortiWeb that allow attackers to bypass authentication measures, Rapid7 said.
Researchers have uncovered multiple vulnerabilities in Fortinets FortiWeb WAF over the past several months. Early this year, researchers from Positive Technologies disclosed
four vulnerabilities
of varying severity in FortiWeb. Among them were a SQL injection flaw and a buffer overflow issue that allowed remote code execution. In June, Positive Technologies reported another
command injection vulnerability
in the FortiWeb management interface that enabled remote code execution attacks on impacted devices. Fortinet has issued patches for all these flaws.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Zero-Day Flaw Found in Fortinets FortiWeb WAF Technology