Remote code execution and interception of administrator accounts were among the threats found
Fortinet has fixed four vulnerabilities in FortiWeb, a family of firewalls for web applications, thanks to a discovery by Positive Technologies expert Andrey Medov.
The first vulnerability (CVE-2020-29015, CVSS v3.1 score 6.4) allows blind SQL injection through the FortiWeb user interface. An unauthorized attacker can remotely execute arbitrary SQL queries by sending a request with an authorization header containing a malicious SQL command. To fix the problem, update FortiWeb 6.3.x and 6.2.x to versions 6.3.8 and 6.2.4, respectively.
The other two vulnerabilities are related to a stack buffer overflow. Vulnerability CVE-2020-29016 (score 6.4) allows an unauthorized remote attacker to overwrite the content of the stack and execute arbitrary code by sending a request with a specially generated GET parameter certname. To fix the error, update FortiWeb 6.3.x and 6.2.x to versions 6.3.6 and 6.2.4, respectively. Vulnerability CVE-2020-29019 (also rated 6.4) can be used for a DoS attack on the httpd daemon using a request with a specially generated cookie parameter. To fix the vulnerability, update to 6.3.8 and 6.2.4.
The fourth vulnerability (CVE-2020-29018, score 5.3) is a format string vulnerability which allows attackers to read the memory content, get sensitive data, and execute unauthorized code or commands using the redir parameter. The attack is conducted remotely. We recommend updating FortiWeb 6.3.x to version 6.3.6.
The fixes were shared via Fortinet PSIRT Advisories on January 4, 2021 and Fortinet has strongly urged customers to implement updates as soon as possible.
Andrey Medov at Positive Technologies explains:
"The most dangerous of these four vulnerabilities are the SQL Injection (CVE-2020-29015) and Buffer Overflow (CVE-2020-29016) as their exploitation does not require authorization. The first allows you to obtain the hash of the system administrator account due to excessive DBMS user privileges, which gives you access to the API without decrypting the hash value. The second one allows arbitrary code execution. Additionally, the format string vulnerability (CVE-2020-29018) also may allow code execution, but its exploitation requires authorization."