Flaws in FortiWeb WAF expose Fortinet devices to remote hack

Fortinet has recently fixed a high-severity vulnerability affecting its FortiWeb web application firewall (WAF) that can be exploited by remote attackers to execute arbitrary commands.

Fortinet has recently addressed a high-severity vulnerability (CVE-2021-22123) affecting its FortiWeb web application firewall (WAF), a remote, authenticated attacker can exploit it to execute arbitrary commands via the SAML server configuration page.

The vulnerability in the management interface of FortiWeb firewall was discovered by Andrey Medov, from cybersecurity firm Positive Technologies. Medov explained that the successful exploitation could potentially lead to a complete takeover of the server.

“An OS command injection vulnerability in FortiWeb’s management interface may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.” reads the advisory published by the vendor.

The flaw received a CVSSv3 score of 7.4 and the company addressed the issue with the release of FortiWeb versions 6.3.8 and 6.2.4.

Medov warns of the chaining of this issue with other ones, like CVE-2020-29015 that Positive Technologies discovered in May.

The CVE-2020-29015 is a blind SQL injection flaw that a remote, unauthenticated attacker could exploit to execute SQL commands or queries by sending a specially crafted request.

“The command injection vulnerability in the FortiWeb management interface may allow an authenticated remote attacker to execute arbitrary commands in the system via the SAML ¹ server configuration page. Executing commands with maximum privileges will result in the attacker gaining full control over the server.” Andrey Medov explains. “If, as a result of incorrect configuration, the firewall administration interface is available on the Internet, and the product itself is not updated to the latest versions, then the combination of CVE-2021-22123 and CVE-2020-29015 that Positive Technologies discovered earlier may allow an attacker to penetrate the internal network.“

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.