How can we help?
Security house Rapid7 have identified an OS command injection vulnerability in the FortiWeb management interface. The vulnerability affords a remote authenticated attacker the ability to execute arbitrary commands on the system. The vulnerability has been given 8.7 out of 10 score against CVSSv3. Fortinet have announced that a patch will be released later this month (August 2021) to address the issue. Example code for exploitation has been released, however, the vulnerability has not yet been seen being actively exploited.
An OS command injection vulnerability in FortiWeb’s management interface may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page. Commands are then executed as the root user of the underlying operating system. This could allow the authenticated attacker the ability to take complete control of the device.
If you are running any of the versions of FortiWeb listed below, you are vulnerable to this exploit.
FortiWeb versions 6.3.7 and below
FortiWeb versions 6.2.3 and below
FortiWeb versions 6.1.x, 6.0.x, 5.9.x.
Containment, Mitigations & Remediations
Until an official patch is released, users are advised to disable the FortiWeb device’s management interface from untrusted networks such as the internet or third party networks. The interface should instead only be reachable via trusted, internal networks, or over a secure VPN connection.
Indicators of Compromise
There are currently no IoCs available for this exploit. However, depending on logging within your environment, monitoring of access to the relevant /api/v2.0/user/remoteserver.saml file may detect attempts at exploitation.
Management interfaces of such devices are typically not accessible via the internet unless managed by a third party (MSP). A number have been noted as being open to the public, however, figures for this are low. Separate networks, such as those of supplier or client organisation, may have the management interface exposed to them and may become a supply chain attack vector.
While authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication bypass issue such as CVE-2020-29015.
Given the availability of PoC exploit code, the nature of the device, and the customer base of these products, development of this exploit in combination with others, such as that listed above, is likely to be seen.