An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page. The vulnerability impacts Fortinet FortiWeb versions 6.3.11 and earlier, an authenticated attacker could exploit the issue to take complete control of servers running vulnerable versions of the FortiWeb WAF.

An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page when used along with  CVE-2020-29015 to allow an unauthenticated attacker to trigger the vulnerability.

An attacker, who is first authenticated to the management interface of the FortiWeb device, can smuggle commands using backticks in the “Name” field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges.

The flaw could allow an attacker to deploy a persistent shell, install crypto mining software, or other malware families. If the management interface is exposed to the internet, an attacker could trigger the issue to reach into the affected network beyond the DMZ. Researchers discovered less than three hundred devices exposing their management interfaces online.

Users are recommended to disable the FortiWeb device’s management interface from untrusted networks. They should only be reachable only via trusted, internal networks or a secure VPN connection till it got addressed with a patch

Below is the disclosure timeline for this issue:

  • June, 2021: Issue discovered and validated by William Vu of Rapid7
  • Thu, Jun 10, 2021: Initial disclosure to the vendor via their PSIRT
  • Fri, Jun 11, 2021: Acknowledged by the vendor (ticket 132097)
  • Wed, Aug 11, 2021: Follow up with the vendor
  • Tue, Aug 17, 2021: Public disclosure
  • Tue, Aug 17, 2021: Vendor indicated that Fortiweb 6.4.1 is expected to include a fix, and will be released at the end of August