Patch for FortiWeb flaw due over the coming days

UPDATED A vulnerability has been discovered in Fortinet’s web application firewall (WAF) that allows attackers to run arbitrary commands on devices and servers running the security software, according to new findings by Rapid7.

FortiWeb protects web applications from attacks that target known and unknown vulnerabilities. Fortinet provides FortiWeb as a SaaS offering as well hardware WAFs with various network capacities.

According to Rapid7’s William Wu, the SAML configuration page of FortiWeb had a command injection vulnerability that allowed attackers to embed arbitrary system commands in web requests.

These commands would then be executed as the root user on the operating system running FortiWeb.

Authentication required

A proof of concept shows how an attacker could exploit the vulnerability by adding a backtick and an arbitrary command to an HTTP request.

The vulnerability is only accessible to authenticated parties, so an adversary would need to gain access to the administrator’s credentials before staging the attack.

However, once the device is compromised, the attacker can leverage the vulnerability to control the affected device “with the highest possible privileges”, according to Rapid7.

“The disclosed FortiWeb issue is essentially a privilege escalation from ‘Fortiweb user’ to ‘Operating System root,’ so an attacker who already has a method for being authenticated can take control of the underlying machine that is running the Fortiweb application,” Tod Beardsley, director of research at Rapid7, told The Daily Swig.


Read more of the latest infosec research news


“[The attacker] might install a persistent shell, crypto-mining software, or other malicious software,” Rapid7 wrote in its advisory.

If the device’s management interface is exposed to the internet, the attacker could use the compromised platform to reach into the affected network beyond the secured perimeter.

Rapid7’s researchers found less than 300 FortiWeb devices that had their management interface accessible through the general internet.

Patch incoming

Fortinet will patch the bug in the next version of FortiWeb (6.4.1), which according to Rapid7 will be released later in August.

In the meantime, Rapid7 advises administrators to make FortiWeb’s device management interface inaccessible to untrusted networks, including the general internet.

“Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway.

“In nearly all cases, this is a bad idea, since it opens up a whole bunch of attack surfaces to strangers on the internet, often for no real reason or upside,” Beardsley warned. “Web management consoles should really only be exposed to trusted networks, so internal-only or over VPN.”


This article has been updated to include comment from Rapid7.


YOU MIGHT ALSO LIKE Realtek SDK vulnerabilities impact dozens of downstream IoT vendors