Unpatched Fortinet Bug Would Allow Remote Attackers To Execute Arbitrary Commands

A 0-day command injection vulnerability was found in Fortinet FortiWeb (WAF), and the security report claimed that Fortinet will soon release a fix for this vulnerability.

This vulnerability was initially detected by the cybersecurity researchers of Rapid7 it enables an authenticated attacker to administer arbitrary commands as root by the SAML server configuration page.

Not only this but they also reported that the threat actor could use it to obtain full control of the vulnerable device with the most formidable possible opportunities. 

However, this vulnerability has been detected on Fortinet’s web application firewall (WAF) platform, acknowledged as FortiWeb. 

FortiWeb is a cybersecurity protection platform, its main motive is to protect business-critical web applications from attacks that generally target associated and undiscovered vulnerabilities.

Flaw profile

• CVE ID: CVE-2020-29015
• Summary: It is a blind SQL injection flaw in the UI of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4. By exploiting this security flaw an unauthenticated threat actor can execute arbitrary SQL queries or commands remotely.
• IR Number: FG-IR-20-124
• Date: Jan 04, 2021
• Risk: 3 out of 5
• CVSSv3 Score: 6.4
• Impact: Execute unauthorized code or commands

Fortinet is popular for exploit

Fortinet’s cybersecurity commodities are quite famous as exploitation streets along with cyber attackers. Even it also includes nation-state actors, therefore the experts suggested that every user must plan to patch it as soon as possible.

After detecting this vulnerability, the FBI along with the Cybersecurity and Infrastructure Security Agency (CISA) informed several advanced determined threats (APTs) were currently exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage.

Moreover, the experts pronounced that the exploits for CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 were being used to obtain space within networks before implementing their planned operation.

Disclosure Timeline

After a proper investigation, the security analysts have mentioned a full list of disclosure timelines that they have made, and here we have mentioned below:-

• June, 2021: Issue identified and confirmed by William Vu of Rapid7
• Thu, Jun 10, 2021: Initial exposure to the vendor through their PSIRT Contact Form
• Fri, Jun 11, 2021: Recognized by the vendor (ticket 132097)
• Wed, Aug 11, 2021: Follow up with the vendor
• Tue, Aug 17, 2021: Public exposure through this post
• Tue, Aug 17, 2021: The vendor meant that Fortiweb 6.4.1 is expected to add a fix, and will be published at the end of August

Remediation

Apart from this, the cybersecurity researchers have suggested some remediation, until Fortinet is not releasing the patch for the vulnerability. Initially, users must disable the FortiWeb device’s management interface from suspicious networks, which also include the internet.

Not only this but FortiWeb should not get reveal directly to the internet, as it should be reachable only through trusted internal networks, or it can be reached over a secure VPN connection.

While the security authorities of Rapid7 requested every user to follow the recommendation, until and unless a security patch is not being disclosed by Fortinet.