Fortinet has launched safety updates to deal with a command injection vulnerability that may let attackers take full management of servers operating weak FortiWeb internet utility firewall (WAF) installations.
The safety flaw found by Rapid7 researcher William Vu impacts is but to obtain a CVE ID, and it impacts Fortinet FortiWeb variations 6.3.11 and earlier.
Profitable exploitation permits authenticated attackers to execute arbitrary instructions as the foundation person on the underlying system by way of the SAML server configuration web page.
Whereas attackers have to be authenticated to the administration interface of the focused FortiWeb machine to abused this bug, they will simply chain with different vulnerabilities such because the CVE-2020-29015 authentication bypass fastened earlier this 12 months.
“An attacker can leverage this vulnerability to take full management of the affected machine, with the very best attainable privilege,” Rapid7 defined.
“They may set up a persistent shell, crypto mining software program, or use the compromised platform to achieve into the affected community past the DMZ.”
To defend towards assaults that might attempt to exploit this bug, admins are suggested to dam entry to the FortiWeb machine’s administration interface from untrusted networks (i.e., the Web).
Such units ought to solely be reachable by way of trusted, inside networks or a safe VPN connection to dam menace actors’ exploitation makes an attempt.
- June 2021: Difficulty found and validated by William Vu of Rapid7
- Thu, Jun 10, 2021: Preliminary disclosure to the seller by way of their PSIRT Contact Type
- Fri, Jun 11, 2021: Acknowledged by the seller (ticket 132097)
- Wed, Aug 11, 2021: Followup with the seller
- Tue, Aug 17, 2021: Public disclosure
Fortinet home equipment are a lovely goal
Financially motivated and state-sponsored menace actors have been closely focusing on unpatched Fortinet servers through the years.
As an illustration, they’ve abused the CVE-2018-13379 Fortinet SSL VPN vulnerability to compromise Internet-exposed U.S. election support systems, with Fortinet warning prospects to patch the flaw in August 2019, July 2020, November 2020, and once more in April 2021.
In November, a menace actor shared a list of one-line CVE-2018-13379 exploits that might’ve been used to steal VPN credentials for about 50,000 Fortinet VPN servers, together with authorities entities and banks.
Earlier this 12 months, Fortinet fixed multiple vulnerabilities impacting a number of of its merchandise. The patched points embrace Distant Code Execution (RCE), SQL Injection, and Denial of Service (DoS) bugs in FortiProxy SSL VPN and FortiWeb Internet Software Firewall (WAF) merchandise.
Kaspersky additionally revealed the identical month that Fortinet VPNs are being exploited by a brand new human-operated ransomware pressure often called Cring (aka Crypt3r, Vjiszy1lo, Ghost, Phantom) to breach and encrypt industrial sector companies’ networks.
One month later, the FBI issued a flash alert warning of state-sponsored attackers breaching a US municipal government server after compromising a Fortinet FortiGate firewall equipment.