Researchers from Rapid7 have discovered a vulnerability in Fortinet’s web application firewall (WAF) which allows an authenticated remote attacker to execute an OS command injection.
The vulnerability when exploited can allow the attacker to execute arbitrary commands on the system, via the Security Assertion Markup Language (SAML) server configuration page. This will allow the attacker to take complete control of the affected device with the highest possible privileges.
How it works
An attacker authenticated to the management interface of the device can secretly move commands in using backticks in the “Name” field of the SAML Server configuration page. These commands are then executed as the root user of the Operating system. The attacker can install a persistent shell, crypto mining software, or other malware. In the unlikely event, the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.
While authentication is a necessity for this exploit, this vulnerability could be combined with another authentication bypass issue, such as CVE-2020-29015.
For further information on this vulnerability kindly follow this URL:
While there is not patch out as yet for this vulnerability, users are advised to disable the FortiWeb device’s management interface from untrusted networks, which includes the internet. This interface should only be reachable by trusted, internal networks or via a secure VPN connection.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
- Fortinet security advisory (17th August 2021). Retrieved from “thehackernews”.
- Fortinet security advisory (17th August 2021). Retrieved from Rapid7.