Security module heals itself
The FortiWeb web application firewall (WAF) is designed to shield servers from web-based attacks, but was itself vulnerable to an SQL injection problem.
This vulnerability (CVE-2020-29015) in the user interface of FortiWeb allowed an unauthenticated, remote attacker to execute arbitrary SQL queries or commands before it was resolved, an advisory from Fortinet admits.
The problem was discovered and disclosed by Andrey Medov of PT Swarm, Positive Technologies’ offensive security team.
Medov further discovered that FortiWeb had a buffer overflow issue (CVE-2020-29016) that might potentially be exploited to execute unauthorized commands.
A separate stack-based buffer overflow vulnerability in FortiWeb may allow a remote, authenticated attacker to crash the WAF’s httpd daemon thread by sending a request with a crafted cookie header.
The bug – another Medov find – posed a denial-of-service risk.
The same researcher also discovered a slightly less severe format string vulnerability in FortiWeb that could have allowed an authenticated, remote attacker to read the content of memory and retrieve sensitive data.
“We discovered the bugs through our pentesting work with a customer,” Medov told The Daily Swig. “We identified the Fortinet device and examined it, uncovering the vulnerabilities.
“SQL injection may be considered the most interesting [find] because it can be undertaken without authorisation and is pretty critical.”
The format string and SQL injection vulnerabilities affect FortiWeb versions 6.3.5 and below and were resolved by version 6.3.6.
However, the memory handling problems both affected FortiWeb versions 6.3.7 and below, according to the vendor.
These particular flaws were only resolved by an upgrade to FortiWeb versions 6.3.8 or above or from FortiWeb versions 6.2.3 and below to 6.2.4, for those users on an early development train.
The practical upshot seems to be that users ought to update to FortiWeb 6.3.8 to be safe.
“Overall, it is a challenging but worthy undertaking to uncover vulnerabilities in security vendors’ products, as we are helping our customers and the wider security community improve their defenses,” Medov said.
In addition to this quartet of flaws, Fortinet also resolved a critical OS command line injection vulnerability in its FortiDeceptor line as part of the same patch batch, all released on Tuesday (January 5).
This article has been updated to include comment from Positive Technologies.
YOU MIGHT ALSO LIKE Gossamer tool aims to defend open source projects against supply chain attacks