Researchers have discovered a vulnerability in Fortinet’s FortiWeb web application firewall (WAF), and while it has been classified as high severity, the actual risk of exploitation in the wild seems low.
The flaw was discovered by William Vu, researcher at cybersecurity firm Rapid7, and it’s unclear if it has been patched by the vendor. Nevertheless, Rapid7 disclosed its details on Tuesday.
SecurityWeek reached out to Fortinet for comment before the publication of this article, but the company has yet to respond.
Tod Beardsley, director of research at Rapid7, told SecurityWeek that they have not seen any information from Fortinet regarding a patch, but they do expect the vulnerability to be fixed soon.
The issue identified by Vu is a variation of CVE-2021-22123, a FortiWeb OS command injection vulnerability patched by Fortinet a few months ago.
The flaw impacts the management interface of the FortiWeb WAF, specifically the “Name” field of a SAML Server configuration page, which can be abused to execute arbitrary commands with root privileges. This can ultimately allow the attacker to take complete control of the device.
“[The attacker] might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ,” Rapid7 said in a blog post.
However, it’s worth noting that exploitation of the vulnerability requires the attacker to be authenticated on the targeted system.
“[The vulnerability] can only be exploited by either a malicious insider or on a device that mistakenly exposes its management interface to the internet,” Beardsley said via email. “Further, the attacker needs to be already authenticated, so the attacker would need to either first have a username and password, guess the same, or use another vulnerability to bypass authentication (like CVE-2020-29015).”
“So, given all these constraints, I’d say the risk is ‘pretty low.’ A lot has to go right for the attacker — namely, a network misconfiguration and an authentication bypass or guess,” he added.
Rapid7 pointed out that while its recent scans showed roughly one million internet-exposed Fortinet devices, only some of those are FortiWeb systems, and only a small fraction of those expose their management interface to the web. Rapid7 has only seen a couple hundred FortiWeb management interfaces exposed to the internet.
Given the widespread use of Fortinet products, it’s not surprising that many state-sponsored and profit-driven threat actors have been exploiting vulnerabilities in these products. The U.S. government has issued several warnings and advisories related to the exploitation of Fortinet vulnerabilities.
UPDATE: Fortinet has provided SecurityWeek the following statement:
“The security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of the our 90-day Responsible disclosure window. We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window. We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week.”