Description
Researchers from Rapid7 have discovered a vulnerability in Fortinets web application firewall (WAF) which allows an authenticated remote attacker to execute an OS command injection.
Summary
The vulnerability when exploited can allow the attacker to execute arbitrary commands on the system, via the Security Assertion Markup Language (SAML) server configuration page. This will allow the attacker to take complete control of the affected device with the highest possible privileges.
How it works
An attacker authenticated to the management interface of the device can secretly move commands in using backticks in the Name field of the SAML Server configuration page. These commands are then executed as the root user of the Operating system. The attacker can install a persistent shell, crypto mining software, or other malware. In the unlikely event, the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.
While authentication is a necessity for this exploit, this vulnerability could be combined with another authentication bypass issue, such as CVE-2020-29015.
For further information on this vulnerability kindly follow this URL:
https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/
Remediation
While there is not patch out as yet for this vulnerability, users are advised to disable the FortiWeb devices management interface from untrusted networks, which includes the internet. This interface should only be reachable by trusted, internal networks or via a secure VPN connection.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Unpatched Remote Hacking Flaw Disclosed in Fortinet FortiWeb WAF.pdf
References
https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html
https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/