Fortinet has recently addressed a high-severity vulnerability (CVE-2021-22123) affecting its FortiWeb web application firewall (WAF), a remote, authenticated attacker can exploit it to execute arbitrary commands via the SAML server configuration page.
The vulnerability in the management interface of FortiWeb firewall was discovered by Andrey Medov, from cybersecurity firm Positive Technologies. Medov explained that the successful exploitation could potentially lead to a complete takeover of the server.
“An OS command injection vulnerability in FortiWeb’s management interface may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.” reads the advisory published by the vendor.
The flaw received a CVSSv3 score of 7.4 and the company addressed the issue with the release of FortiWeb versions 6.3.8 and 6.2.4.
Medov warns of the chaining of this issue with other ones, like CVE-2020-29015 that Positive Technologies discovered in May.
The CVE-2020-29015 is a blind SQL injection flaw that a remote, unauthenticated attacker could exploit to execute SQL commands or queries by sending a specially crafted request.
“The command injection vulnerability in the FortiWeb management interface may allow an authenticated remote attacker to execute arbitrary commands in the system via the SAML 1 server configuration page. Executing commands with maximum privileges will result in the attacker gaining full control over the server.” Andrey Medov explains. “If, as a result of incorrect configuration, the firewall administration interface is available on the Internet, and the product itself is not updated to the latest versions, then the combination of CVE-2021-22123 and CVE-2020-29015 that Positive Technologies discovered earlier may allow an attacker to penetrate the internal network.“
(SecurityAffairs – hacking, ransomware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.