Enterprise security firm Fortinet has resolved a variety of vulnerabilities in its network security appliances.
The FortiWeb web application firewall (WAF) is designed to shield servers from web-based attacks, but was itself vulnerable to an SQL injection problem.
This vulnerability (CVE-2020-29015) in the user interface of FortiWeb allowed an unauthenticated, remote attacker to execute arbitrary SQL queries or commands before it was resolved, an advisory from Fortinet admits.
The problem was discovered and disclosed by Andrey Medov of PT Swarm, Positive Technologies’ offensive security team.
Buffer zone
Medov further discovered that FortiWeb had a buffer overflow issue (CVE-2020-29016) that might potentially be exploited to execute unauthorized commands.
A separate stack-based buffer overflow vulnerability in FortiWeb may allow a remote, authenticated attacker to crash the WAF’s httpd daemon thread by sending a request with a crafted cookie header.
The bug – another Medov find – posed a denial-of-service risk.
The same researcher also discovered a slightly less severe format string vulnerability in FortiWeb that could have allowed an authenticated, remote attacker to read the content of memory and retrieve sensitive data.
Version control
The format string and SQL injection vulnerabilities affect FortiWeb versions 6.3.5 and below and were resolved by version 6.3.6.
However, the memory handling problems both affected FortiWeb versions 6.3.7 and below, according to the vendor.
These particular flaws were only resolved by an upgrade to FortiWeb versions 6.3.8 or above or from FortiWeb versions 6.2.3 and below to 6.2.4, for those users on an early development train.
The practical upshot seems to be that users ought to update to FortiWeb 6.3.8 to be safe.
The Daily Swig contacted Positive Technologies for clarification on this point. We also put in a query to Fortinet for a general comment of the vulnerabilities, but we’re yet to hear back from either party.
In addition to this quartet of flaws, Fortinet also resolved a critical OS command line injection vulnerability in its FortiDeceptor line as part of the same patch batch, all released on Tuesday (January 5).
Source: https://portswigger.net/daily-swig/fortinet-updates-web-application-firewall-to-protect-against-sql-injection-denial-of-service-attacks