Unpatched Fortinet Bug Allows Firewall Takeovers

The OS command-injection bug, in the web application firewall (WAF) platform known as FortiWeb, will get a patch this week.


An unpatched OS command-injection security vulnerability has been disclosed in Fortinet’s web application firewall (WAF) platform, known as FortiWeb. It could allow privilege escalation and full device takeover, researchers said.

FortiWeb is a cybersecurity defense platform, aimed at protecting business-critical web applications from attacks that target known and unknown vulnerabilities. The firewall has been to keep up with the deployment of new or updated features, or the addition of new web APIs, according to Fortinet.

The bug (CVE pending) exists in FortiWeb’s management interface (version 6.3.11 and prior), and carries a CVSSv3 base score of 8.7 out of 10, making it high-severity. It can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page, according to Rapid7 researcher William Vu who discovered the bug.

Infosec Insiders Newsletter

“Note that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as CVE-2020-29015,” according to a Tuesday writeup on the issue.

Once attackers are authenticated to the management interface of the FortiWeb device, they can smuggle commands using backticks in the “Name” field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.

“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,” according to the writeup. “They might install a persistent shell, crypto mining software, or other malicious software.”

The damage could be worse if the management interface is exposed to the internet: Rapid7 noted that attackers could pivot to the wider network in that case. However, Rapid7 researchers identified less than three hundred appliances that appeared to be doing so.

In the analysis, Vu provided a proof-of-concept exploit code, which uses an HTTP POST request and response.

In light of the disclosure, Fortinet has sped up plans to release a fix for the problem with FortiWeb 6.4.1 — originally planned for the end of August, it will now be available by the end of the week.

“We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week,” it said in a statement provided to Threatpost.

The firm also noted that Rapid7’s disclosure was a bit of a surprise given vulnerability-disclosure norms in the industry.

“The security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of the our 90-day Responsible disclosure window.  We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window.”

For now, Rapid7 offered straightforward advice:

“In the absence of a patch, users are advised to disable the FortiWeb device’s management interface from untrusted networks, which would include the internet,” according to Rapid7. “Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway — instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.”

The Rapid7 researchers said that the vulnerability appears to be related to CVE-2021-22123, which was patched in June.

Fortinet: Popular for Exploit

The vendor is no stranger to cybersecurity bugs in its platforms, and Fortinet’s cybersecurity products are popular as exploitation avenues with cyberattackers, including nation-state actors. Users should prepare to patch quickly.

In April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that various advanced persistent threats (APTs) were actively exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage. Exploits for CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812 were being used for to gain a foothold within networks before moving laterally and carrying out recon, they warned.

One of those bugs, a Fortinet vulnerability in FortiOS, was also seen being used to deliver a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.

This post was updated August 18 at 1:30 p.m. ET with a statement from Fortinet.

Suggested articles