Fortinet has recently addressed a high-severity vulnerability (CVE-2021-22123) affecting its FortiWeb web application firewall (WAF), a remote, authenticated attacker can exploit it to execute arbitrary commands via the SAML server configuration page.
The vulnerability in the management interface of FortiWeb firewall was discovered by Andrey Medov, from cybersecurity firm Positive Technologies. Medov explained that the successful exploitation could potentially lead to a complete takeover of the server.
“An OS command injection vulnerability in FortiWeb’s management interface may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.” reads the advisory published by the vendor.
The flaw received a CVSSv3 score of 7.4 and the company addressed the issue with the release of FortiWeb versions 6.3.8 and 6.2.4.
Medov warns of the chaining of this issue with other ones, like CVE-2020-29015 that Positive Technologies discovered in May.
The CVE-2020-29015 is a blind SQL injection flaw that a remote, unauthenticated attacker could exploit to execute SQL commands or queries by sending a specially crafted request.
“The command injection vulnerability in the FortiWeb management interface may allow an authenticated remote attacker to execute arbitrary commands in the system via the SAML 1 server configuration page. Executing commands with maximum privileges will result in the attacker gaining full control over the server.” Andrey Medov explains. “If, as a result of incorrect configuration, the firewall administration interface is available on the Internet, and the product itself is not updated to the latest versions, then the combination of CVE-2021-22123 and CVE-2020-29015 that Positive Technologies discovered earlier may allow an attacker to penetrate the internal network.“
(SecurityAffairs – hacking, ransomware)