Aspects have emerged about a new unpatched stability vulnerability in Fortinet’s world-wide-web application firewall (WAF) appliances that could be abused by a distant, authenticated attacker to execute destructive commands on the program.
“An OS command injection vulnerability in FortiWeb’s administration interface (version 6.3.11 and prior) can let a remote, authenticated attacker to execute arbitrary commands on the procedure, by way of the SAML server configuration site,” cybersecurity agency Quick7 reported in an advisory posted Tuesday. “This vulnerability seems to be relevant to CVE-2021-22123, which was dealt with in FG-IR-20-120.”
Speedy7 said it uncovered and described the concern in June 2021. Fortinet is anticipated to release a patch at the end of August with version Fortiweb 6.4.1.
The command injection flaw is nonetheless to be assigned a CVE identifier, but it has a severity ranking of 8.7 on the CVSS scoring method. Prosperous exploitation of the vulnerability can make it possible for authenticated attackers to execute arbitrary instructions as the root user on the underlying procedure by means of the SAML server configuration web page.
“An attacker can leverage this vulnerability to consider comprehensive handle of the afflicted device, with the highest doable privileges,” Immediate7’s Tod Beardsley said. “They may put in a persistent shell, crypto mining computer software, or other malicious application. In the unlikely party the administration interface is exposed to the online, they could use the compromised platform to reach into the influenced network further than the DMZ.”
Speedy7 also warns that whilst authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, these kinds of as CVE-2020-29015. In the interim, users are encouraged to block obtain to the FortiWeb device’s management interface from untrusted networks, which includes using actions to avoid direct publicity to the world wide web.
Though there is no evidence that the new safety difficulty has been exploited in the wild, it can be truly worth noting that unpatched Fortinet servers have been a valuable goal for economically motivated and state-sponsored threat actors alike.
Earlier this April, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Stability Agency (CISA) warned of sophisticated persistent risk teams focusing on Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise devices belonging to govt and commercial entities.
In the very same thirty day period, Russian cybersecurity firm Kaspersky disclosed that threat actors exploited the CVE-2018-13379 vulnerability in FortiGate VPN servers to gain accessibility to enterprise networks in European international locations to deploy the Cring ransomware.