Researchers find high-severity command injection vuln in Fortinet's web app firewall

Mitigation: Don't let randomers from the internet log in to your firewall


Updated A command injection vulnerability exists in Fortinet's management interface for its FortiWeb web app firewall, according to infosec firm Rapid7.

An authenticated attacker can use the vuln to execute commands as root on the Fortiweb device, Rapid7 said in a blog post.

By using backticks "in the 'name' field of the SAML Server configuration page," attackers can bypass controls – though obtaining access to the firewall itself first can be a non-trivial obstacle for attackers to overcome. Nonetheless, the vuln is rated 8.7 on the CVSSv3 scale.

"An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges," said Rapid7. "They might install a persistent shell, crypto mining software, or use the compromised platform to reach into the affected network beyond the DMZ."

The researchers said they'd received word that Fortiweb 6.4.1 would include a fix. The update will be released at the end of August. Fortinet's PSIRT (product security incident response team) page was last updated on 3 August.

Mitigating the vuln in the absence of a patch is straightforward; ensure the management interface isn't accessible from untrusted networks, such as the wider internet.

Bleeping Computer reported some mild controversy about the timing of the disclosure; Rapid7 alleged it had been left hanging for a month by Fortinet after reporting the vuln, while Fortinet claimed Rapid7 had breached Fortinet's own vuln reporting guidelines by disclosing it within 90 days. We've asked Fortinet for comment and for a timeline on the patch; we will update this article if we hear back from the firm.

Using backticks to "smuggle commands" onto a vulnerable device, as Rapid7 put it, is a fairly old penetration technique. In 2019, The Register revealed that a series of Huawei routers used for years in the UK were vulnerable to command injection attacks using backticks in a similar fashion. Back in 2013, Sophos had to patch a similar web firewall appliance after researchers identified that a function in a Perl script failed to fully escape a script argument prior to executing it – meaning backticks could be used to insert extra commands.

In July, Fortinet disclosed a remote code execution vuln in some of its software products that it patched. The firm's VPN product is a favourite target of hostile foreign nations' cyber-attack squads, as we reported earlier this year. ®

Updated to add

"Our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers," a Fortinet spokesperson told The Register.

"As such, we had expected that Rapid7 hold any findings prior to the end of the our 90-day Responsible disclosure window. We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window.

"We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week."


Other stories you might like

Biting the hand that feeds IT © 1998–2021