Patch released for Fortinet command injection vulnerability

A Rapid7 researcher discovered the issue, which was addressed in a recent Fortinet update.
Written by Jonathan Greig, Contributor

Update: In a statement to ZDNet, Fortinet criticized Rapid7 for releasing the study and said a patch would be released by the end of the month

"The security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers," a Fortinet spokesperson said. 

"As such, we had expected that Rapid7 hold any findings prior to the end of our 90-day Responsible disclosure window.  We regret that individual research was fully disclosed in this instance without adequate notification prior to the 90-day window.  We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week."

Previously: Fortinet has patched a vulnerability that attackers could have leveraged to take complete control of a device with the highest possible privileges, according to a report from cybersecurity company Rapid7.

Rapid7 researcher William Vu was credited with discovering the issue, which centers around an OS command injection vulnerability in FortiWeb's management interface, particularly in version 6.3.11 and prior. 

The vulnerability allows a remote, authenticated attacker "to execute arbitrary commands on the system, via the SAML server configuration page."

"This is an instance of CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), and has a CVSSv3 base score of 8.7," the report said.

Vu added that the vulnerability appeared to be tied to CVE-2021-22123 and was patched by Fortinet in June. 

Fortinet FortiWeb is a web application firewall that is built to identify both known and unknown exploits targeting protected web applications before they have a chance to execute, according to Rapid7. 

Vu discovered the vulnerability in June, and Fortinet quickly acknowledged the disclosure and patched the issue. 

Rapid7 released a detailed report about how the attack works, noting that a hacker who has already been authenticated to the management interface of the FortiWeb device could then "smuggle commands using backticks in the 'Name' field. Of the SAML Server configuration page."

"An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. They might install a persistent shell, crypto mining software, or use the compromised platform to reach into the affected network beyond the DMZ," the report said.  

"Note that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication bypass issue, such as CVE-2020-29015."

If users are not able to patch their devices, Rapid7 suggests disabling the FortiWeb device's management interface from untrusted networks, which they said: "includes the internet."

"Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway -- instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection," the Rapid7 report explained. 

Fortinet has invested heavily in security features over the last year, but that has done little to stop widespread concern about multiple vulnerabilities found in their products over the last six months. 

The FBI and CISA have released multiple alerts warning Fortinet users about insecure products being exploited by hackers. 

The FBI issued a flash alert in May after a local government office was attacked through Fortinet vulnerabilities

That alert came just weeks after another report was released by US agencies warning that advanced persistent threat groups are exploiting Fortinet FortiOS vulnerabilities to compromise systems belonging to government and commercial entities.

Editorial standards