Fortinet firewall flaw could allow hackers to take over a device

Unpatched vulnerability in security system could allow execution of arbitrary commands

A bug in Fortinet’s web application firewall (WAF) platform FortiWeb could enable hackers to take over the device and run commands on it.

According to researchers at Rapid7, an operating system (OS) command injection vulnerability in FortiWeb's management interface could let a remote authenticated attacker execute arbitrary commands on the system, via the SAML server configuration page. The vulnerability affects FortiWeb versions 6.3.11 and below. 

Researcher William Vu of Rapid7 — the researcher who discovered the bug — found this was an instance of CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The flaw received a severity score of 8.7.

Tod Beardsley, director of Research at Rapid7, said a hacker who’s initially authenticated to the FortiWeb device’s management interface can smuggle commands using backticks in the SAML Server configuration page’s "Name" field. These commands are then executed as the root user of the underlying operating system. 

“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. They might install a persistent shell, crypto mining software, or other malicious software,” Beardsley said.

Related Resource

2021 IBM Security X-Force Insider Threat Report

Top discovery methods and recommendations for insider attacks

White background with a black border on side - whitepaper from IBMFree download

Beardsley added that in the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ. He added that researchers at the firm identified less than 300 devices that appear to be exposing their management interfaces to the general internet.

While a hacker needs authentication to exploit the bug, researchers warned they could combine it with another authentication bypass issue, such as CVE-2020-29015.

“In the absence of a patch, users are advised to disable the FortiWeb device’s management interface from untrusted networks, which would include the internet,” according to Beardsley. “Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway — instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.”

In June, security researchers discovered a Fortinet FortiWeb firewall vulnerability that could let an attacker take full control of the security device. This came after the FBI issued a warning in May that an APT group exploited a Fortigate appliance to access a web server hosting the domain for a municipal government.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022