Fortinet firewall flaw could allow hackers to take over a device

Unpatched vulnerability in security system could allow execution of arbitrary commands

Fortinet sign on a grey building
(Image credit: Shutterstock)
Rene Millman's avatar
By
published
in News

A bug in Fortinet’s web application firewall (WAF) platform FortiWeb could enable hackers to take over the device and run commands on it.

According to researchers at Rapid7, an operating system (OS) command injection vulnerability in FortiWeb's management interface could let a remote authenticated attacker execute arbitrary commands on the system, via the SAML server configuration page. The vulnerability affects FortiWeb versions 6.3.11 and below.

Fortinet firewall vulnerability could give hackers full control Weekly threat roundup: Fortinet, Apple Mail, AMD Zen 3 CPUs Fortinet FortiGate 60F: A fully-featured security appliance Fortinet and IBM join forces on cyber security training

Researcher William Vu of Rapid7 — the researcher who discovered the bug — found this was an instance of CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The flaw received a severity score of 8.7.

Tod Beardsley, director of Research at Rapid7, said a hacker who’s initially authenticated to the FortiWeb device’s management interface can smuggle commands using backticks in the SAML Server configuration page’s "Name" field. These commands are then executed as the root user of the underlying operating system.

“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. They might install a persistent shell, crypto mining software, or other malicious software,” Beardsley said.

RELATED RESOURCE

2021 IBM Security X-Force Insider Threat Report

Top discovery methods and recommendations for insider attacks

FREE DOWNLOAD

Beardsley added that in the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ. He added that researchers at the firm identified less than 300 devices that appear to be exposing their management interfaces to the general internet.

While a hacker needs authentication to exploit the bug, researchers warned they could combine it with another authentication bypass issue, such as CVE-2020-29015.

“In the absence of a patch, users are advised to disable the FortiWeb device’s management interface from untrusted networks, which would include the internet,” according to Beardsley. “Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway — instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.”

In June, security researchers discovered a Fortinet FortiWeb firewall vulnerability that could let an attacker take full control of the security device. This came after the FBI issued a warning in May that an APT group exploited a Fortigate appliance to access a web server hosting the domain for a municipal government.

Rene Millman
Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.

Latest
You might also like
View More ▸