Security News > 2021 > August > Unpatched Fortinet FortiWeb vulnerability allows remote OS command injection

Unpatched Fortinet FortiWeb vulnerability allows remote OS command injection
2021-08-17 14:25

n unpatched vulnerability in the management interface for FortiWeb, Fortinet's web application firewall, could allow a remote, authenticated attacker to execute arbitrary commands on the system, Rapid7 researcher William Vu has discovered.

"It requires access to the web-based management console, which, as near as we can tell, is exceedingly rare. Of the million or so Fortinet devices that are findable on the open internet, we only see something like 100 to 300 devices that have their management consoles exposed," he told Help Net Security.

The issue affects version 6.3.11 and prior of the FortiWeb's management interface, and is an OS command injection vulnerability similar to CVE-2021-22123, which was fixed in June 2021.

"An attacker, who is first authenticated to the management interface of the FortiWeb device, can smuggle commands using backticks in the 'Name' field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system," Beardsley explained.

"An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. They might install a persistent shell, crypto mining software, or use the compromised platform to reach into the affected network beyond the DMZ.".

In the meantime, users can disable access to the FortiWeb device's management interface from untrusted networks, or allow access from untrusted networks only via a secure VPN connection.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/c4jdDNndbtA/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-06-01 CVE-2021-22123 OS Command Injection vulnerability in Fortinet Fortiweb
An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.
network
low complexity
fortinet CWE-78
critical
9.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Fortinet 164 56 387 164 77 684