Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Unpatched Remote Hacking Flaw Disclosed in Fortinet’s FortiWeb WAF

Fortinet FortiWeb WAFFortinet FortiWeb WAF

Details have emerged about a new unpatched security
vulnerability in Fortinet’s web application firewall (WAF)
appliances that could be abused by a remote, authenticated attacker
to execute malicious commands on the system.

“An OS command injection vulnerability in FortiWeb’s management
interface (version 6.3.11 and prior) can allow a remote,
authenticated attacker to execute arbitrary commands on the system,
via the SAML server configuration page,” cybersecurity firm Rapid7
said[1]
in an advisory published Tuesday. “This vulnerability appears to be
related to CVE-2021-22123[2], which was addressed in
FG-IR-20-120[3].”

Stack Overflow Teams

Rapid7 said it discovered and reported the issue in June 2021.
Fortinet is expected to release a patch at the end of August with
version Fortiweb 6.4.1.

The command injection flaw is yet to be assigned a CVE
identifier, but it has a severity rating of 8.7 on the CVSS scoring
system. Successful exploitation of the vulnerability can allow
authenticated attackers to execute arbitrary commands as the root
user on the underlying system via the SAML server configuration
page.

“An attacker can leverage this vulnerability to take complete
control of the affected device, with the highest possible
privileges,” Rapid7’s Tod Beardsley said. “They might install a
persistent shell, crypto mining software, or other malicious
software. In the unlikely event the management interface is exposed
to the internet, they could use the compromised platform to reach
into the affected network beyond the DMZ.”

Rapid7 also warns that while authentication is a prerequisite
for achieving arbitrary command execution, the exploit could be
chained with an authentication bypass flaw, such as CVE-2020-29015[4]. In the interim, users
are advised to block access to the FortiWeb device’s management
interface from untrusted networks, including taking steps to
prevent direct exposure to the internet.

Enterprise Password Management

Although there is no evidence that the new security issue has
been exploited in the wild, it’s worth noting that unpatched
Fortinet servers have been a lucrative target for financially
motivated and state-sponsored threat actors alike.

Earlier this April, the Federal Bureau of Investigation (FBI)
and the Cybersecurity and Infrastructure Security Agency (CISA)
warned[5]
of advanced persistent threat groups targeting Fortinet FortiOS
servers by leveraging CVE-2018-13379[6], CVE-2020-12812[7], and CVE-2019-5591[8]
to compromise systems belonging to government and commercial
entities.

In the same month, Russian cybersecurity company Kaspersky
revealed[9]
that threat actors exploited the CVE-2018-13379 vulnerability in
FortiGate VPN servers to gain access to enterprise networks in
European countries to deploy the Cring ransomware.

References

  1. ^
    said
    (www.rapid7.com)
  2. ^
    CVE-2021-22123
    (nvd.nist.gov)
  3. ^
    FG-IR-20-120
    (www.fortiguard.com)
  4. ^
    CVE-2020-29015
    (nvd.nist.gov)
  5. ^
    warned
    (www.ic3.gov)
  6. ^
    CVE-2018-13379
    (nvd.nist.gov)
  7. ^
    CVE-2020-12812
    (nvd.nist.gov)
  8. ^
    CVE-2019-5591
    (nvd.nist.gov)
  9. ^
    revealed
    (ics-cert.kaspersky.com)

Read more