March 21, 2023

An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page. The vulnerability impacts Fortinet FortiWeb versions 6.3.11 and earlier, an authenticated attacker could exploit the issue to take complete control of servers running vulnerable versions of the FortiWeb WAF.

An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page when used along with  CVE-2020-29015 to allow an unauthenticated attacker to trigger the vulnerability.

An attacker, who is first authenticated to the management interface of the FortiWeb device, can smuggle commands using backticks in the “Name” field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges.

The flaw could allow an attacker to deploy a persistent shell, install crypto mining software, or other malware families. If the management interface is exposed to the internet, an attacker could trigger the issue to reach into the affected network beyond the DMZ. Researchers discovered less than three hundred devices exposing their management interfaces online.

Users are recommended to disable the FortiWeb device’s management interface from untrusted networks. They should only be reachable only via trusted, internal networks or a secure VPN connection till it got addressed with a patch

Below is the disclosure timeline for this issue:

  • June, 2021: Issue discovered and validated by William Vu of Rapid7
  • Thu, Jun 10, 2021: Initial disclosure to the vendor via their PSIRT
  • Fri, Jun 11, 2021: Acknowledged by the vendor (ticket 132097)
  • Wed, Aug 11, 2021: Follow up with the vendor
  • Tue, Aug 17, 2021: Public disclosure
  • Tue, Aug 17, 2021: Vendor indicated that Fortiweb 6.4.1 is expected to include a fix, and will be released at the end of August
Tags:

Leave a Reply

Related Post

DotRunpeX – Malware Injector Spreads in Wild

DotRunpeX – Malware Injector Spreads in Wild

March 21, 2023
Killnet Targets Healthcare Azure Resources

Killnet Targets Healthcare Azure Resources

March 21, 2023

You may have missed

DotRunpeX – Malware Injector Spreads in Wild

DotRunpeX – Malware Injector Spreads in Wild

March 21, 2023
Killnet Targets Healthcare Azure Resources

Killnet Targets Healthcare Azure Resources

March 21, 2023
NBA suffers a Data Breach – Third Party Provider Data Stolen

NBA suffers a Data Breach – Third Party Provider Data Stolen

March 21, 2023
Ferrari – Cyber Attack Ransom Demanded

Ferrari – Cyber Attack Ransom Demanded

March 21, 2023
ForgeRock new Passwordless Service

ForgeRock new Passwordless Service

March 20, 2023
New Decryptor for Conti Ransomware Released

New Decryptor for Conti Ransomware Released

March 20, 2023
%d bloggers like this: