Fortinet has delayed patching a zero-day command injection vulnerability discovered within the FortiWeb net utility firewall (WAF) till the tip of August.
Profitable exploitation can let authenticated attackers execute arbitrary instructions as the foundation consumer on the underlying system by way of the SAML server configuration web page.
Whereas attackers have to be authenticated to the administration interface of the focused FortiWeb machine to abused this bug, they will simply chain it with different vulnerabilities such because the CVE-2020-29015 authentication bypass to take full management of weak servers.
“An attacker can leverage this vulnerability to take full management of the affected machine, with the best doable privilege,” Rapid7 explained.
“They could set up a persistent shell, crypto mining software program, or use the compromised platform to succeed in into the affected community past the DMZ.”
The zero-day found by Rapid7 researcher William Vu impacts is but to obtain a CVE ID, and it impacts Fortinet FortiWeb variations 6.3.11 and earlier.
To defend towards assaults that may attempt to exploit this bug till a patch is obtainable, admins are suggested to dam entry to the FortiWeb machine’s administration interface from untrusted networks (i.e., the Web).
Such gadgets ought to solely be reachable by way of trusted, inside networks or a safe VPN connection to dam menace actors’ exploitation makes an attempt.
- June 2021: Situation found and validated by William Vu of Rapid7
- Thu, Jun 10, 2021: Preliminary disclosure to the seller by way of their PSIRT Contact Type
- Fri, Jun 11, 2021: Acknowledged by the seller (ticket 132097)
- Wed, Aug 11, 2021: Followup with the seller
- Tue, Aug 17, 2021: Public disclosure by way of this post
- Tue, Aug 17, 2021: Vendor indicated that Fortiweb 6.4.1 is predicted to incorporate a repair, and can be launched on the finish of August
Fortinet home equipment are a gorgeous goal
Financially motivated and state-sponsored menace actors have been closely focusing on unpatched Fortinet servers over time.
As an example, they’ve abused the CVE-2018-13379 Fortinet SSL VPN vulnerability to compromise Internet-exposed U.S. election support systems, with Fortinet warning clients to patch the flaw in August 2019, July 2020, November 2020, and once more in April 2021.
In November, a menace actor shared a list of one-line CVE-2018-13379 exploits that might’ve been used to steal VPN credentials for roughly 50,000 Fortinet VPN servers, together with authorities entities and banks.
Earlier this 12 months, Fortinet fixed multiple vulnerabilities impacting a number of of its merchandise. The patched points embrace Distant Code Execution (RCE), SQL Injection, and Denial of Service (DoS) bugs in FortiProxy SSL VPN and FortiWeb Internet Utility Firewall (WAF) merchandise.
Kaspersky additionally revealed the identical month that Fortinet VPNs are being exploited by a brand new human-operated ransomware pressure generally known as Cring (aka Crypt3r, Vjiszy1lo, Ghost, Phantom) to breach and encrypt industrial sector companies’ networks.
One month later, the FBI issued a flash alert warning of state-sponsored attackers breaching a US municipal government server after compromising a Fortinet FortiGate firewall equipment.