Fortinet firewall flaw could allow hackers to take over a device

Unpatched vulnerability in security system could allow execution of arbitrary commands

A bug in Fortinet’s web application firewall (WAF) platform FortiWeb could enable hackers to take over the device and run commands on it.

According to researchers at Rapid7, an operating system (OS) command injection vulnerability in FortiWeb's management interface could let a remote authenticated attacker execute arbitrary commands on the system, via the SAML server configuration page. The vulnerability affects FortiWeb versions 6.3.11 and below. 

Researcher William Vu of Rapid7 — the researcher who discovered the bug — found this was an instance of CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The flaw received a severity score of 8.7.

Tod Beardsley, director of Research at Rapid7, said a hacker who’s initially authenticated to the FortiWeb device’s management interface can smuggle commands using backticks in the SAML Server configuration page’s "Name" field. These commands are then executed as the root user of the underlying operating system. 

“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. They might install a persistent shell, crypto mining software, or other malicious software,” Beardsley said.

Related Resource

2021 IBM Security X-Force Insider Threat Report

Top discovery methods and recommendations for insider attacks

White background with a black border on side - whitepaper from IBMFree download

Beardsley added that in the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ. He added that researchers at the firm identified less than 300 devices that appear to be exposing their management interfaces to the general internet.

While a hacker needs authentication to exploit the bug, researchers warned they could combine it with another authentication bypass issue, such as CVE-2020-29015.

“In the absence of a patch, users are advised to disable the FortiWeb device’s management interface from untrusted networks, which would include the internet,” according to Beardsley. “Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway — instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.”

In June, security researchers discovered a Fortinet FortiWeb firewall vulnerability that could let an attacker take full control of the security device. This came after the FBI issued a warning in May that an APT group exploited a Fortigate appliance to access a web server hosting the domain for a municipal government.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021
How do hackers choose their targets?
hacking

How do hackers choose their targets?

17 Sep 2021
Owner of DDoS for hire sites found guilty of hacking offences
distributed denial of service (DDOS)

Owner of DDoS for hire sites found guilty of hacking offences

17 Sep 2021

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021