A bug in Fortinet’s web application firewall (WAF) platform FortiWeb could enable hackers to take over the device and run commands on it.
According to researchers at Rapid7, an operating system (OS) command injection vulnerability in FortiWeb's management interface could let a remote authenticated attacker execute arbitrary commands on the system, via the SAML server configuration page. The vulnerability affects FortiWeb versions 6.3.11 and below.
Researcher William Vu of Rapid7 — the researcher who discovered the bug — found this was an instance of CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The flaw received a severity score of 8.7.
Tod Beardsley, director of Research at Rapid7, said a hacker who’s initially authenticated to the FortiWeb device’s management interface can smuggle commands using backticks in the SAML Server configuration page’s "Name" field. These commands are then executed as the root user of the underlying operating system.
“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. They might install a persistent shell, crypto mining software, or other malicious software,” Beardsley said.
RELATED RESOURCE
2021 IBM Security X-Force Insider Threat Report
Top discovery methods and recommendations for insider attacks
Beardsley added that in the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ. He added that researchers at the firm identified less than 300 devices that appear to be exposing their management interfaces to the general internet.
While a hacker needs authentication to exploit the bug, researchers warned they could combine it with another authentication bypass issue, such as CVE-2020-29015.
“In the absence of a patch, users are advised to disable the FortiWeb device’s management interface from untrusted networks, which would include the internet,” according to Beardsley. “Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway — instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.”
In June, security researchers discovered a Fortinet FortiWeb firewall vulnerability that could let an attacker take full control of the security device. This came after the FBI issued a warning in May that an APT group exploited a Fortigate appliance to access a web server hosting the domain for a municipal government.
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
