A vulnerability has been discovered in Fortinet’s web application firewall (WAF) that allows attackers to run arbitrary commands on devices and servers running the security software, according to new findings by Rapid7.
FortiWeb protects web applications from attacks that target known and unknown vulnerabilities. Fortinet provides FortiWeb as a SaaS offering as well hardware WAFs with various network capacities.
According to Rapid7’s William Wu, the SAML configuration page of FortiWeb had a command injection vulnerability that allowed attackers to embed arbitrary system commands in web requests.
These commands would then be executed as the root user on the operating system running FortiWeb.
Authentication required
A proof of concept shows how an attacker could exploit the vulnerability by adding a backtick and an arbitrary command to an HTTP request.
The vulnerability is only accessible to authenticated parties, so an adversary would need to gain access to the administrator’s credentials before staging the attack.
However, once the device is compromised, the attacker can leverage the vulnerability to control the affected device “with the highest possible privileges”, according to Rapid7.
“[The attacker] might install a persistent shell, crypto-mining software, or other malicious software,” Rapid7 wrote in its advisory.
If the device’s management interface is exposed to the internet, the attacker could use the compromised platform to reach into the affected network beyond the secured perimeter.
Rapid7’s researchers found less than 300 FortiWeb devices that had their management interface accessible through the general internet.
Patch incoming
Fortinet will patch the bug in the next version of FortiWeb (6.4.1), which according to Rapid7 will be released later in August.
In the meantime, Rapid7 advises administrators to make FortiWeb’s device management interface inaccessible to untrusted networks, including the general internet.
“Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway – instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection,” Rapid7 wrote on its blog.
Source: https://portswigger.net/daily-swig/fortinet-waf-vulnerable-to-command-injection-attacks-researchers-find
